Open davecurrie opened 2 years ago
The Corretto team at AWS has been working on a tool to hotpatch the log4j RCE from CVE-2021-44228. This tool
You can get it at https://github.com/corretto/hotpatch-for-apache-log4j2. Use it at your own risk and go through the README for instructions and caveats.
A high-severity security issue within Log4j2 was recently disclosed publicly (see https://nvd.nist.gov/vuln/detail/CVE-2021-44228 for more details). Anyone using Log4j2 should upgrade to version 2.15, which addresses this issue. Log4j2 versions older than 2.15 should be considered affected regardless of the JDK distribution or version used.
It has been reported that using Log4j2 on JDKs after 8u121 or 8u191 (including JDK 11 and later) mitigates the issue but this is only a partial mitigation. The only comprehensive solution is to upgrade Log4j2 to 2.15.