Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228) 
Hi,

On Fri, Dec 17, 2021 at 11:29 AM Lothar Kimmeringer <job@xxxxxxxxxxxxxx> wrote:
> Am 16.12.2021 um 14:26 schrieb Joakim Erdfelt:
>
> > As Simone pointed out, Jetty has never had a dependency on log4j, any version.
> > If you are using log4j, then you added it to your own copy of Jetty.
>
> While the statement is true it might be worth mentioning that
> Jetty could use log4j indirectly if log4j has been configured
> to be SLF4J's backend logging framework and Jetty has been
> configured to use Slf4jLog and/or Slf4jRequestLogWriter.
>
> Especially if Jetty is embedded into a larger application, this
> scenario isn't that far fetched.

You are right that this scenario is possible, but there is nothing
that we can do about it.
We don't have to release a new version of Jetty to patch anything,
because there is nothing to patch on the Jetty side.

Sure people will need to carefully review their dependencies,
recursively, and whether they have configured Jetty (or some other
library) with Log4J, and we wrote a generic how-to for how to deal
with some of these cases (again we cannot cover them all) in this
blog:
https://webtide.com/jetty-log4j2-exploit-cve-2021-44228/

-- 
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.

Back to the top