Hi Windham, Do you have any idea of the level of complexity for us to upgrade log4j?
On Tue, Jan 18, 2022 at 7:30 PM Windham Wong @ StormEye.io < [email protected]> wrote: > We got another Log4j critical issue here.. > > Regards J, > *Windham Wong* > OSWE, OSCP, GCIA, Specialist in Cybersecurity > Co-Founder, Managing Partner of > *Stormeye.io, Hong Kong Managed Security Operation Center Limited* > Specialist in Cybersecurity, Log Management and SIEM System > <https://www.stormeye.io> > Email // [email protected] > Phone // +852_3590_2212_|_+852_9832_0707 <tel:+85235902212> > Fax // +852_3590_2202 <tel:+852_3590_2202> > > > > -------- Forwarded Message -------- > Subject: [oss-security] CVE-2022-23307: Apache Log4j 1.x: A > deserialization flaw in the Chainsaw component of Log4j 1 can lead to > malicious code execution. > Date: Tue, 18 Jan 2022 14:42:56 +0000 > From: Ralph Goers <[email protected]> > Reply-To: [email protected] > To: [email protected] > > > > Severity: Critical > > Description: > > CVE-2020-9493 identified a deserialization issue that was present in > Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of > Apache Log4j 1.2.x where the same issue exists. > > Mitigation: > > Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0. > > Credit: > > @kingkk >
