Hi Paul, hi Ken, thank you so much for the info!!!
I use only Wonder, and the only Log4J I see in the class path is log4j-1.2.17 from ERJar, so I think is ok. Thanks again!!! *Daniele Corti - **IT* VINATI Srl rs.dani...@vinati.com tel: +39 030 2532813 fax: +39 030 2532814 ___________________________ CONFIDENTIALITY NOTICE Questo messaggio (incluso qualsiasi allegato alla presente) contengono informazioni confidenziali e sono rivolte esclusivamente ai destinatari citati nel messaggio. Se non siete i destinatari non è concesso reinoltrare, distribuire, copiare o fare use di questo messaggio. Se avete ricevuto questo messaggio per errore siete pregati di avvisare immediatamente il mittente via e-mail, e di cancellare la presente dal vostro sistema. This message (including any attachments transmitted with it) contains confidential information and is intended only for the individual named herein. If you are not the herein named addressee you should not disseminate, distribute, copy or otherwise make use of this message. Please notify the sender immediately by e-mail if you have received this message by mistake, and delete it from your systems. On 14 dicembre 2021 a 02:37:31, Paul Hoadley via Webobjects-dev ( webobjects-dev@lists.apple.com) scritto: Hello, On 13 Dec 2021, at 20:56, Daniele Corti via Webobjects-dev < webobjects-dev@lists.apple.com> wrote: Today the vulnerability CVE-2021-44228 details (log4j) are out and looks like all log4j versions are affected! I’ve seen many attempt on the logs of the servers, but I was not able to understand if also my ERJar which contains the log4j-1.2.17 is affected. As Ken Anderson noted, it only affects versions >=2.0-beta9 and <=2.14.1. https://logging.apache.org/log4j/2.x/security.html So log4j-1.2.17 specifically is unaffected. If that's the only Log4J you've got on the classpath, you're not affected. If you're running a vanilla Wonder app, you're almost certainly not using Log4J 2. Anyone was able to check if the standard er.extensions.logging.ERXConsoleAppender is vulnerable? It's "vulnerable" only to the extent that it does use '%m' to print the log message (and a potential mitigation is to use '%m{nolookups}' if you're on version >= 2.7), but that's only relevant if you're using a vulnerable version of Log4J 2. Here are some brief notes I posted to Slack earlier today: * The good news is that if you're just using vanilla WebObjects/Wonder, you're probably not affected by it: Wonder is still on Log4J 1. You might have a dependency pulling in Log4J 2, though it's not clear to me whether that would matter unless you had the app-level co-operation to set up and use Log4J 2 to do actual logging. If you're using Maven, it's very easy to check: "mvn dependency:tree | grep log4j". * In any case, if you're definitely using Log4J 2 (we are—I went to some effort months ago to set it up!), you can mitigate the issue immediately by re-launching all instances with "-Dlog4j2.formatMsgNoLookups=true". That will give you time to re-build with Log4J 2.15.0. * Finally, if you're using AWS and you're using Web Application Firewall (WAF, which I highly recommend), you're already covered by the AWSManagedRulesKnownBadInputsRuleSet rules—if you're not using that set, add it immediately. -- Paul Hoadley https://logicsquad.net/ https://www.linkedin.com/company/logic-squad/ _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/rs.daniele%40vinati.com This email sent to rs.dani...@vinati.com
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
