Кто все выходные апгрейдил Log4j до v2.15? Приготовиться к новому броску

[idle0]

Кто все выходные апгрейдил Log4j до v2.15? Приготовиться к новому броску

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

[mikeG]

Хе-хе.

[Сабина]

Ну что мы на 2.17 остановились или нет ?
Я не на работе с понедельника, не в курсе

[Palych]

Пока 2.17,
Посмотрим понадобится ли бустер раз в неделю...

[liamkin]

Вот короткая сводка
for v1.x - remove JMSAppender and SocketServer
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
zip -q -d log4j-*.jar org/apache/log4j/net/SocketServer.class

for versions 2.X:
remove JndiLookup class
zip -q -d 'log4j-core-*.jar' org/apache/logging/log4j/core/lookup/JndiLookup.class

Ну там еще апгрейд до 2.17.1, 2.12.4 или 2.3.2
https://logging.apache.org/log4j/2.x/security.html