Add JVM arg: -Dlog4j2.formatMsgNoLookups=true (only works on log4j 2.10.0 and up).Here's a list of possible mitigations, initially sourced from LunaSec's blog: 2.17.1 was released to address this issue. Log4j versions 2.17.0 and below are vulnerable to a RCE when the attacker can modify the log4j configuration. Fixed in 2.16.0Ī Denial of Service (DOS) issue in 2.16.0 and below, fixed in 2.17.0 Version 2.16.0 was released.Īnother issue was found in 2.15.0, a more serious / critical RCE. It appears that the fix in 2.15.0 and the JVM mitigation was incomplete. Here's the jira issue for when the JNDI lookup feature was added in 2.0-beta9: LOG4J2-313 Versions Affected: all versions from 2.0-beta9 to 2.14.1. What versions of log4j are vulnerable to CVE-2021-44228? Lucee has released version 5.3.9.133 with Log4j 2.17.2, earlier versions used log4j 1.x.
#ADOBE COLDFUSION 11 ENTERPRISE UPDATE#
TLDR: Adobe ColdFusion users should upgrade to either ColdFusion 2018 update 14 or ColdFusion 2021 Update 4 (both now use log4j version 2.17.2). Putting together some info to help sort this issue out as it pertains to ColdFusion and Lucee users. It is included in both Adobe ColdFusion and Lucee for example. There is a critical security vulnerability ( CVE-2021-44228 aka Log4Shell) in the java library log4j which is a popular logging library for java applications.
0 kommentar(er)
