Also, presence of 1.x is not good - 1.x went EOL in August 2015!
Affected versions: log4j 2.x confirmed - log4j 1.x only indirectly (previous information disclosure vulns, harder to exploit) (in some configurations). Downstream projects: until proven otherwise, assume anything that includes log4j, or depends on something that does, is affected in a way that requires mitigation see below. Targets: Servers and clients that run Java and also log anything using the log4j framework - primarily a server-side concern, but any vulnerable endpoint could be a target or a pivot point. Impact: arbitrary code execution as the user the parent process is running as (code fetched from the public Internet, or lolbins already present on system, or just fetching shared secrets or environment variables and returning them to the attacker). Apache is now publishing known post-EOL log4j 1.2 vulnerabilities (even though they will not be fixed) (. cisagov/log4j-scanner - CISA has a scanner!. 
VMware latest workarounds (script to remove class) urgent - Conti ransomware seen leveraging log4shell against VMWare (Cimpanu). CISA has issued Emergency Directive 22-02 - required patching timeline changed from Dec 24 to immediately. Apache security summary - regularly updated - summary of valid workarounds below. Version 2.17 is out - fixes the DoS, but IMO if your vendor only has a 2.16-based fix, apply that now instead of waiting (CVSS 10 is more urgent). Newer NIST CVE 2021-45046 - changed to RCE 9.0 (but requires non-default config). NOTE: All previous mitigations - based on anything other than upgrading to log4j 2.16 (or higher) or entirely removing JndiLookup classes - are no longer effective mitigation. Worm? - Kevin Beaumont and Marcus Hutchins say not really, because it has a hard-coded LDAP server - but better versions may be feasible soon. Big new joint CISA / Five Eyes mitigation advisory (). 
CVE-2021-44832 (CVSS 6.6) - do not be alarmed (yet) - it appears to require ability to write a local config file to be exploited ("where an attacker with permission to modify the logging configuration file can construct a malicious configuration").Blackberry researchers discover log4j use by Initial Access Brokers (IABs) against VMware Horizon ().
Other product and tool lists - see especially new CISA list on GitHub (but only has public info - see these lists if your product is not listed here).Send updates or suggestions (please include category / context / public (or support-walled) links if you can) Last updated: $Date: 8 23:26:16 $ UTC - best effort, validate all for your environment/model before use, unofficial sources may be (Royce Williams), standing on the shoulders of many giants
0 kommentar(er)
