Log4j 2 Security Vulnerabilities Update Guide

Published: 2021-12-29
Last Updated: 2021-12-29 19:30:39 UTC
by Russ McRee (Version: 1)
0 comment(s)

As Apache Log4j 2 security vulnerabilities continue to surface, and are quickly addressed by the Log4j Security Team, keeping track of specific CVEs, severity, and affected versions can be a bit of a task on the fly. As such, herein is a quick table version of update guidance. The current supported version of Log4j2 for Java 8 is 2.17.1 as of this writing.

Note: Log4j 1 is end of life and no longer supported. Java 7 and 6 are end of life and no longer supported. Please upgrade to current, supported versions accordingly.

Log4j 2 Security Vulnerabilities Update Guide Reference: https://logging.apache.org/log4j/2.x/security.html
Severity CVE fixed Description CVSS Java 8 Java 7 Java 6 Versions Affected
Moderate CVE-2021-44832 Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration. 6.6 2.17.1 2.12.4 2.3.2 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4
Moderate CVE-2021-45105 Apache Log4j2 does not always protect from infinite recursion in lookup evaluation 5.9 2.17.0 2.12.3 2.3.1 All versions from 2.0-beta9 to 2.16.0, excluding 2.12.3
Critical CVE-2021-45046 Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations 9 2.16.0 2.12.2   All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2
Critical CVE-2021-44228 Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. 10 2.15.0     All versions from 2.0-beta9 to 2.14.1

Russ McRee | @holisticinfosec


Keywords: Log4j
0 comment(s)
ISC Stormcast For Wednesday, December 29th, 2021 https://isc.sans.edu/podcastdetail.html?id=7814


Diary Archives