One needs to check *all* jars too. I notice that the c3p0 db connection
pool package uses a lib (by the same author) called mchange-commons that
incorporates log4j:
https://github.com/swaldman/mchange-commons-java/tree/master/src/main/java/com/mchange
$ jar tf ...jar
com/mchange/v2/log/log4j2/MLogAppender.class
com/mchange/v2/log/log4j/Log4jMLog$Log4jMLogger.class
com/mchange/v2/log/log4j2/Log4j2MLog$Log4jMLogger.class
com/mchange/v2/log/log4j2/Log4j2MLog.class
In case anyone else is concerned. I haven't had time to do more than
verify I can't get a side effect from outside my site.
Bill
On 12/16/21 5:26 AM, Joakim Erdfelt wrote:
You have 2 recent CVEs for Log4j 2.x to be aware of - CVE-2021-44228
and CVE-2021-45046.
Both of these are currently resolved by simple upgrading to Log4j2 2.16.0
Log4j 1.x was EOL in August 2015 and now has an ever growing post-EOL
CVE list, it's use in production is not recommended anymore.
As Simone pointed out, Jetty has never had a dependency on log4j, any
version.
If you are using log4j, then you added it to your own copy of Jetty.
Upgrading log4j, or deciding to switch to a different logging
implementation (logback, java.util.logging, etc) will have zero impact
on Jetty itself.
Joakim Erdfelt / joa...@webtide.com <mailto:joa...@webtide.com>
On Thu, Dec 16, 2021 at 12:57 AM Kumar, Amit (Noida) via jetty-dev
<jetty-...@eclipse.org <mailto:jetty-...@eclipse.org>> wrote:
Hi Team,
We are using Below jar provided by you. We want to ensure and know
if it is impacted by “Apache Log4j Tool : Zero Day in Ubiquitous
Under Active Attack (CVE-2021-44228)”. If it’s impacted please let
us know about the security recommendation. To know we are looking
for following answer
Jars:
jetty-4.2.19 4.2.19
jetty-continuation-7.5.4.v20111024 7.5.4
jetty-http-7.5.4.v20111024 7.5.4
jetty-security-7.5.4.v20111024 7.5.4
jetty-util-7.5.4.v20111024 7.5.4
jetty-io-7.5.4.v20111024 7.5.4
jetty-server-7.5.4.v20111024 7.5.4
Are you using log4J?
If you are using log4j 1.x version, are you using JMSAppender class
if you are using log4j 2.x are , what is your security
recommendation to fix the issue
Thanks and regards,
*Amit Kumar*
*Tech Lead, Software Development Engineering*
Financial & Risk Management Solutions
Mobile: +91-9990094588
Upcoming R&R:
*Fiserv *
*Helping Small Businesses Get**Back2Business
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_RZ22cy4q6bM8_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=R-6lvnOhG5fnONNKZPmlgec0f7YBuuiH45dZ4t9Y3X4&e=>*
Fiserv
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_X677F3dKx8Tx_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=NGFO_LDQrhMwepNez_lhHhtYeLweF4IK5nDNtCpnCic&e=>
| Join Our Team
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_j9LLfXwgErFR_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=AovzNmRVWUIYoZzsyaRayRoSza5FiHf_XI4QYRFpUKQ&e=>
| Twitter
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_bxXXB-2DpG2wfb_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=C131Xh7_qy_-NgY7CtUnhDREDFghFEQXaGsNPSbLZQw&e=>
| LinkedIn
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_z9-5F-5FfAx8R-7EBm_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=nur3UqZMYo9u9wV8r9dN7NTf7ruHik2RoHJBApj4rBQ&e=>
| Facebook
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_ebwwFvy-7EgkQ7_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=hd3ZCW13ah-YOC_rC0AZIjDWrL_h6jiYvxFA2dPfi_c&e=>
FORTUNE *World's Most Admired Companies®*
2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021
© 2021 Fiserv Inc. or its affiliates. Fiserv is a registered
trademark of Fiserv Inc. Privacy Notice
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_w-5F33sEW2jps3_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=aSztimCBadAn9CoDhVg4wBWZM1vKatItDvP9Kz3EvC4&e=>
© 2021 Fortune Media IP Limited. Used under license.
_______________________________________________
jetty-dev mailing list
jetty-...@eclipse.org <mailto:jetty-...@eclipse.org>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev
<https://www.eclipse.org/mailman/listinfo/jetty-dev>
_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
--
Phobrain.com
_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
