Hello, On 13 Dec 2021, at 20:56, Daniele Corti via Webobjects-dev <webobjects-dev@lists.apple.com> wrote:
> Today the vulnerability CVE-2021-44228 details (log4j) are out and looks like > all log4j versions are affected! > > I’ve seen many attempt on the logs of the servers, but I was not able to > understand if also my ERJar which contains the log4j-1.2.17 is affected. As Ken Anderson noted, it only affects versions >=2.0-beta9 and <=2.14.1. https://logging.apache.org/log4j/2.x/security.html So log4j-1.2.17 specifically is unaffected. If that's the only Log4J you've got on the classpath, you're not affected. If you're running a vanilla Wonder app, you're almost certainly not using Log4J 2. > Anyone was able to check if the standard > er.extensions.logging.ERXConsoleAppender is vulnerable? It's "vulnerable" only to the extent that it does use '%m' to print the log message (and a potential mitigation is to use '%m{nolookups}' if you're on version >= 2.7), but that's only relevant if you're using a vulnerable version of Log4J 2. Here are some brief notes I posted to Slack earlier today: * The good news is that if you're just using vanilla WebObjects/Wonder, you're probably not affected by it: Wonder is still on Log4J 1. You might have a dependency pulling in Log4J 2, though it's not clear to me whether that would matter unless you had the app-level co-operation to set up and use Log4J 2 to do actual logging. If you're using Maven, it's very easy to check: "mvn dependency:tree | grep log4j". * In any case, if you're definitely using Log4J 2 (we are—I went to some effort months ago to set it up!), you can mitigate the issue immediately by re-launching all instances with "-Dlog4j2.formatMsgNoLookups=true". That will give you time to re-build with Log4J 2.15.0. * Finally, if you're using AWS and you're using Web Application Firewall (WAF, which I highly recommend), you're already covered by the AWSManagedRulesKnownBadInputsRuleSet rules—if you're not using that set, add it immediately. -- Paul Hoadley https://logicsquad.net/ https://www.linkedin.com/company/logic-squad/
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
