Log4j 2 Security Vulnerabilities Update Guide
As Apache Log4j 2 security vulnerabilities continue to surface, and are quickly addressed by the Log4j Security Team, keeping track of specific CVEs, severity, and affected versions can be a bit of a task on the fly. As such, herein is a quick table version of update guidance. The current supported version of Log4j2 for Java 8 is 2.17.1 as of this writing.
Note: Log4j 1 is end of life and no longer supported. Java 7 and 6 are end of life and no longer supported. Please upgrade to current, supported versions accordingly.
Log4j 2 Security Vulnerabilities Update Guide | Reference: https://logging.apache.org/log4j/2.x/security.html | ||||||
Severity | CVE fixed | Description | CVSS | Java 8 | Java 7 | Java 6 | Versions Affected |
Moderate | CVE-2021-44832 | Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration. | 6.6 | 2.17.1 | 2.12.4 | 2.3.2 | 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4 |
Moderate | CVE-2021-45105 | Apache Log4j2 does not always protect from infinite recursion in lookup evaluation | 5.9 | 2.17.0 | 2.12.3 | 2.3.1 | All versions from 2.0-beta9 to 2.16.0, excluding 2.12.3 |
Critical | CVE-2021-45046 | Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations | 9 | 2.16.0 | 2.12.2 | All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 | |
Critical | CVE-2021-44228 | Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. | 10 | 2.15.0 | All versions from 2.0-beta9 to 2.14.1 |
Keywords: Log4j
0 comment(s)ISC Stormcast For Wednesday, December 29th, 2021 https://isc.sans.edu/podcastdetail.html?id=7814
×
Diary Archives
Comments