@jared-wiltshire Awesome! Thanks for the super speedy update.
Best posts made by dhckris
-
RE: Apache CVE-2021-44228 log4j Remote Code Execution Vulnerability Resolution
Latest posts made by dhckris
-
RE: Apache CVE-2021-44228 log4j Remote Code Execution Vulnerability Resolution
@jared-wiltshire Awesome! Thanks for the super speedy update.
-
RE: Apache CVE-2021-44228 log4j Remote Code Execution Vulnerability Resolution
@mumcs01 Thank you for the post!
Any timeline on updating to log4j 2.16?
Apache put out a bulletin [1] regarding there still being pathways to exploit that 2.15 doesn't resolve.
[1] https://logging.apache.org/log4j/2.x/security.html -
CVE-2021-44228 log4j Remote Code Execution Vulnerability
Until Mango is patched to use log4j 2.15 (currently 2.10 on Mango 3.7.7) you can do the following:
">Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages."
I just tested on my laptop and I'm no longer able to recreate the vuln, yet you will lose logs.
(Have not tested in production, do not know if any bugs will occur due to the mitigation)See:
https://logging.apache.org/log4j/2.x/index.htmlhttps://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/