• Recent
    • Tags
    • Popular
    • Register
    • Login

    Please Note This forum exists for community support for the Mango product family and the Radix IoT Platform. Although Radix IoT employees participate in this forum from time to time, there is no guarantee of a response to anything posted here, nor can Radix IoT, LLC guarantee the accuracy of any information expressed or conveyed. Specific project questions from customers with active support contracts are asked to send requests to support@radixiot.com.

    Radix IoT Website Mango 3 Documentation Website Mango 4 Documentation Website Mango 5 Documentation Website

    CVE-2021-44228 log4j Remote Code Execution Vulnerability

    Mango General
    2
    2
    844
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dhckris
      last edited by

      Until Mango is patched to use log4j 2.15 (currently 2.10 on Mango 3.7.7) you can do the following:

      ">Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages."

      I just tested on my laptop and I'm no longer able to recreate the vuln, yet you will lose logs.
      (Have not tested in production, do not know if any bugs will occur due to the mitigation)

      See:
      https://logging.apache.org/log4j/2.x/index.html

      https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

      1 Reply Last reply Reply Quote 0
      • mumcs01M
        mumcs01
        last edited by

        Thanks for the note! It's been a top priority today, and we are happy to have a resolution for everyone as of an hour ago. This vulnerability is going to be a pretty big deal for lots of software out in the wild, and we are super pleased we were able to get a fix out, and roll both 3.7 and 4.2 updates pretty much in hours for everyone.

        Please see the info here: https://forum.mango-os.com/topic/5404/apache-cve-2021-44228-log4j-remote-code-execution-vulnerability-resolution

        Have a wonderful weekend!
        MIke.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post