[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)
|
One needs to check *all* jars too. I notice that the c3p0 db
connection pool package uses a lib (by the same author) called
mchange-commons that incorporates log4j:
https://github.com/swaldman/mchange-commons-java/tree/master/src/main/java/com/mchange
$ jar tf ...jar
com/mchange/v2/log/log4j2/MLogAppender.class
com/mchange/v2/log/log4j/Log4jMLog$Log4jMLogger.class
com/mchange/v2/log/log4j2/Log4j2MLog$Log4jMLogger.class
com/mchange/v2/log/log4j2/Log4j2MLog.class
In case anyone else is concerned. I haven't had time to do more
than verify I can't get a side effect from outside my site.
Bill
On 12/16/21 5:26 AM, Joakim Erdfelt
wrote:
You have 2 recent CVEs for Log4j 2.x to be aware of
- CVE-2021-44228 and CVE-2021-45046.
Both of these are currently resolved by simple upgrading to
Log4j2 2.16.0
Log4j 1.x was EOL in August 2015 and now has an ever
growing post-EOL CVE list, it's use in production is not
recommended anymore.
As Simone pointed out, Jetty has never had a dependency on
log4j, any version.
If you are using log4j, then you added it to your own copy
of Jetty.
Upgrading log4j, or deciding to switch to a different
logging implementation (logback, java.util.logging, etc) will
have zero impact on Jetty itself.
Hi Team,
We are using Below jar provided
by you. We want to ensure and know if it is impacted
by “Apache Log4j Tool : Zero Day in Ubiquitous Under
Active Attack (CVE-2021-44228)”. If it’s impacted
please let us know about the security recommendation.
To know we are looking for following answer
Jars:
jetty-4.2.19
4.2.19
|
jetty-continuation-7.5.4.v20111024
7.5.4
|
jetty-http-7.5.4.v20111024
7.5.4
|
jetty-security-7.5.4.v20111024
7.5.4
|
jetty-util-7.5.4.v20111024
7.5.4
|
jetty-io-7.5.4.v20111024
7.5.4
|
jetty-server-7.5.4.v20111024
7.5.4
|
Are you using log4J?
If you are using log4j 1.x
version, are you using JMSAppender class
if you are using log4j 2.x are
, what is your security recommendation to fix the
issue
Thanks and regards,
Amit Kumar
Tech Lead, Software Development
Engineering
Financial & Risk Management Solutions
Mobile: +91-9990094588
Upcoming
R&R:
Fiserv
Helping
Small Businesses Get
Back2Business
Fiserv |
Join Our Team |
Twitter |
LinkedIn |
Facebook
FORTUNE World's Most Admired Companies®
2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021
© 2021
Fiserv Inc. or its affiliates. Fiserv is a registered
trademark of Fiserv Inc.
Privacy Notice
© 2021 Fortune Media IP Limited. Used under license.
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
--
Phobrain.com