Networking-Forums.com

Professional Discussions => Security => Topic started by: deanwebb on December 16, 2021, 08:28:07 AM

Title: Log4j Blues
Post by: deanwebb on December 16, 2021, 08:28:07 AM
Well, I've had to move planned holiday PTO because of Log4j.  :'(

Just so everyone knows, version 2.15 fixes most things. Version 2.16 fixes all known vulnerabilities.

Lots of vendors impacted, too many for the CISA to fully track. Thankfully, the major operating systems don't run on java, so we don't have to rush out patches for all of Windows or MacOS or Linux platforms. All the same, this incident draws a line under any company's level of patch management.
Title: Re: Log4j Blues
Post by: heath on December 16, 2021, 09:52:20 PM
https://github.com/NCSC-NL/log4shell/tree/main/software

Title: Re: Log4j Blues
Post by: Dieselboy on December 19, 2021, 10:59:12 PM
Since you wrote that post, they released v 2.17 to fix another vulnerability that existed in 2.16 on 18th December.

Quote from: https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
Apache has released log4j 2.17.0 to address the new vulnerability CVE-2021-45105. The vulnerability is the result of an infinite recursion resulting in denial of service. Recommendation is to upgrade to 2.17.0. Additional details of the vulnerability can be found below. This vulnerability is already detected with existing coverage.

Update your signatures...

QuoteUpdated Coverage: Cisco Talos has released additional coverage today including vSphere detection. New signatures released are SIDs: 58740-58742, 58801-58814. Additionally, Cisco Talos has released new and updated ClamAV signatures.





Title: Re: Log4j Blues
Post by: deanwebb on December 20, 2021, 08:31:09 AM
Yep. 2.17 is the one that fixes everything. Today. As of 8:30 AM, US Central Time. :smug:

:facepalm1: