Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30784

Upgrade Apache log4j to 2.17.1

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 10.10-HF56, 2021.13
    • Fix Version/s: 10.10-HF57, 2021.15
    • Component/s: Security

      Description

      Now a fifth vulnerability—an RCE flaw, tracked as CVE-2021-44832 has been discovered in 2.17.0, with a patch applied to the newest release 2.17.1 which is out.

      Rated 'Moderate' in severity and assigned a 6.6 score on the CVSS scale, the vulnerability stems from the lack of additional controls on JDNI access in log4j.

      "JDBC Appender should use JndiManager when accessing JNDI. JNDI access should be controlled via a system property," states the issue description seen by BleepingComputer.

      "Related to CVE-2021-44832 where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code."

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: