@jared-wiltshire Awesome! Thanks for the super speedy update.
Please Note This forum exists for community support for the Mango product family and the Radix IoT Platform. Although Radix IoT employees participate in this forum from time to time, there is no guarantee of a response to anything posted here, nor can Radix IoT, LLC guarantee the accuracy of any information expressed or conveyed. Specific project questions from customers with active support contracts are asked to send requests to support@radixiot.com.
D
Posts made by dhckris
-
RE: Apache CVE-2021-44228 log4j Remote Code Execution Vulnerability Resolutionposted in Mango General
-
RE: Apache CVE-2021-44228 log4j Remote Code Execution Vulnerability Resolutionposted in Mango General
@mumcs01 Thank you for the post!
Any timeline on updating to log4j 2.16?
Apache put out a bulletin [1] regarding there still being pathways to exploit that 2.15 doesn't resolve.
[1] https://logging.apache.org/log4j/2.x/security.html -
CVE-2021-44228 log4j Remote Code Execution Vulnerabilityposted in Mango General
Until Mango is patched to use log4j 2.15 (currently 2.10 on Mango 3.7.7) you can do the following:
">Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages."
I just tested on my laptop and I'm no longer able to recreate the vuln, yet you will lose logs.
(Have not tested in production, do not know if any bugs will occur due to the mitigation)See:
https://logging.apache.org/log4j/2.x/index.htmlhttps://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/