CVE-2021-44228 log4j Remote Code Execution Vulnerability
Until Mango is patched to use log4j 2.15 (currently 2.10 on Mango 3.7.7) you can do the following:
">Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages."
I just tested on my laptop and I'm no longer able to recreate the vuln, yet you will lose logs.
(Have not tested in production, do not know if any bugs will occur due to the mitigation)
mumcs01 last edited by
Thanks for the note! It's been a top priority today, and we are happy to have a resolution for everyone as of an hour ago. This vulnerability is going to be a pretty big deal for lots of software out in the wild, and we are super pleased we were able to get a fix out, and roll both 3.7 and 4.2 updates pretty much in hours for everyone.
Please see the info here: https://forum.mango-os.com/topic/5404/apache-cve-2021-44228-log4j-remote-code-execution-vulnerability-resolution
Have a wonderful weekend!