[SANS ISC] Log4j 2 Security Vulnerabilities Update Guide, (Wed, Dec 29th)

As Apache Log4j 2 security vulnerabilities continue to surface, and are quickly addressed by the Log4j Security Team, keeping track of specific CVEs, severity, and affected versions can be a bit of a task on the fly. As such, herein is a quick table version of update guidance. The current supported version of Log4j2 for Java 8 is 2.17.1 as of this writing.

Note: Log4j 1 is end of life and no longer supported. Java 7 and 6 are end of life and no longer supported. Please upgrade to current, supported versions accordingly.

Log4j 2 Security Vulnerabilities Update Guide
Reference: https://logging.apache.org/log4j/2.x/security.html

Severity
CVE fixed
Description
CVSS
Java 8
Java 7
Java 6
Versions Affected

Moderate
CVE-2021-44832
Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
6.6
2.17.1
2.12.4
2.3.2
2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4

Moderate
CVE-2021-45105
Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
5.9
2.17.0
2.12.3
2.3.1
All versions from 2.0-beta9 to 2.16.0, excluding 2.12.3

Critical
CVE-2021-45046
Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
9
2.16.0
2.12.2
 
All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2

Critical
CVE-2021-44228
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
10
2.15.0
 
 
All versions from 2.0-beta9 to 2.14.1

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[BleepingComputer] Windows 10X on hold, features coming to Windows 10 instead

Microsoft has officially confirmed that it has paused the development of Windows 10X, its Chrome OS competitor for single-screen and dual-screen devices. […] Source: Read More (BleepingComputer)

Read More

[ESET] What’s it like to work as a malware researcher? 10 questions answered

All posts, ESET feed

Three ESET malware researchers describe what their job involves and what it takes to embark on a successful career in this field The post What’s it like to work as a malware researcher? 10 questions answered appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More

[TheRecord] What would Russia’s big attack on Ukraine look like?

Kyiv, Ukraine — You suddenly wake up in your flat outside Kyiv to the sound of rolling thunder.  Your window glass is rattling, you can see flashes of light breaking through the dead of night. Air raid sirens shake your district’s streets. Your neighbors pace in their apartments next-door, too, in panic and fear, having no […]

Read More