Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228) 
We (the Log4j team) are doing our best to manage the flood of reports,
messages, PRs, and so on. We welcome all to hammer on this release and
talk to us.

TY!
Gary
https://github.com/apache/logging-log4j2/tree/release-2.x

On Sat, Dec 18, 2021 at 8:36 AM Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
>
> There is a new Log4J CVE, everyone using log4j needs to upgrade to 2.17.0 now.
>
> https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105
>
> Joakim Erdfelt / joakim@xxxxxxxxxxx
>
>
> On Fri, Dec 17, 2021 at 5:16 PM Simone Bordet <sbordet@xxxxxxxxxxx> wrote:
>>
>> Hi,
>>
>> On Fri, Dec 17, 2021 at 11:29 AM Lothar Kimmeringer <job@xxxxxxxxxxxxxx> wrote:
>> > Am 16.12.2021 um 14:26 schrieb Joakim Erdfelt:
>> >
>> > > As Simone pointed out, Jetty has never had a dependency on log4j, any version.
>> > > If you are using log4j, then you added it to your own copy of Jetty.
>> >
>> > While the statement is true it might be worth mentioning that
>> > Jetty could use log4j indirectly if log4j has been configured
>> > to be SLF4J's backend logging framework and Jetty has been
>> > configured to use Slf4jLog and/or Slf4jRequestLogWriter.
>> >
>> > Especially if Jetty is embedded into a larger application, this
>> > scenario isn't that far fetched.
>>
>> You are right that this scenario is possible, but there is nothing
>> that we can do about it.
>> We don't have to release a new version of Jetty to patch anything,
>> because there is nothing to patch on the Jetty side.
>>
>> Sure people will need to carefully review their dependencies,
>> recursively, and whether they have configured Jetty (or some other
>> library) with Log4J, and we wrote a generic how-to for how to deal
>> with some of these cases (again we cannot cover them all) in this
>> blog:
>> https://webtide.com/jetty-log4j2-exploit-cve-2021-44228/
>>
>> --
>> Simone Bordet
>> ----
>> http://cometd.org
>> http://webtide.com
>> Developer advice, training, services and support
>> from the Jetty & CometD experts.
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top