Just to update this: On 14 Dec 2021, at 12:07, Paul Hoadley via Webobjects-dev <webobjects-dev@lists.apple.com> wrote:
> * In any case, if you're definitely using Log4J 2 (we are—I went to some > effort months ago to set it up!), you can mitigate the issue immediately by > re-launching all instances with "-Dlog4j2.formatMsgNoLookups=true". It turns out that this was not a complete mitigation: https://www.lunasec.io/docs/blog/log4j-zero-day/ <https://www.lunasec.io/docs/blog/log4j-zero-day/> > That will give you time to re-build with Log4J 2.15.0. And that 2.15.0 was not a complete fix either: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046> Current release is 2.16.0, and you should update to that if you're using Log4J 2. https://logging.apache.org/log4j/2.x/security.html <https://logging.apache.org/log4j/2.x/security.html> -- Paul Hoadley https://logicsquad.net/ https://www.linkedin.com/company/logic-squad/
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
