[Tznog] Security Advisory for Apache Log4j 2

[Noah]

*Summary*

A critical vulnerability was recently discovered in Apache Log4j 2, that
allows for unauthenticated remote code execution. The vulnerability,
tracked as CVE-2021-44228 and referred to as “Log4Shell,” affects
Java-based applications that use Log4j 2 versions 2.0 through 2.14.1.

Log4j 2 is a Java-based logging library that is widely used in business
system development, included in various open-source libraries, and directly
embedded in major software applications. The scope of impact has expanded
to thousands of products and devices, including Apache products such as
Struts 2, Solr, Druid, Flink, Swift, Karaf, and others.

*Description*

The vulnerability is a remote code execution vulnerability that can allow
an unauthenticated attacker to gain complete access to a target system.

It can be triggered when a specially crafted string is parsed and processed
by the vulnerable Log4j 2 component. This could happen through any user
provided input.

*Versions affected*

Apache Log4j2 versions:

   - 2.0-beta9
   - 2.12.1
   - 2.13.0
   - 2.14.1

*Recommendation*

The recommended action is to update Apache Log4j 2. An application restart
will be required.

All systems, including those that are not internet facing, are potentially
vulnerable to these vulnerabilities, so backend systems and microservices
should be upgraded.

No Java version can mitigate these vulnerabilities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.aftld.org/pipermail/tznog/attachments/20211217/fd71a03f/attachment.html>