Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)

From: Lothar Kimmeringer <job@xxxxxxxxxxxxxx>
Date: Fri, 17 Dec 2021 11:29:15 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.2



Am 16.12.2021 um 14:26 schrieb Joakim Erdfelt:

As Simone pointed out, Jetty has never had a dependency on log4j, any version.
If you are using log4j, then you added it to your own copy of Jetty.


While the statement is true it might be worth mentioning that
Jetty could use log4j indirectly if log4j has been configured
to be SLF4J's backend logging framework and Jetty has been
configured to use Slf4jLog and/or Slf4jRequestLogWriter.

Especially if Jetty is embedded into a larger application, this
scenario isn't that far fetched.


Cheers, Lothar

Follow-Ups:
- Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)
  - From: Simone Bordet

References:
- [jetty-users] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)
  - From: Kumar, Amit (Noida)
- Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)
  - From: Joakim Erdfelt

Prev by Date: Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)
Next by Date: Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)
Previous by thread: Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)
Next by thread: Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)
Index(es):
- Date
- Thread

Breadcrumbs