gmuecke
commented
3 months ago Log4j was bumped to 2.20 in version 1.8 (which has been released just now - and the marketplace update is pending)
Closed sharavananmsp closed 3 months ago
gmuecke
commented
3 months ago Log4j was bumped to 2.20 in version 1.8 (which has been released just now - and the marketplace update is pending)
Log4j core version [2.14.1] used by the plugin is vulnerable to a remote code execution (RCE) attack. Kindly refer below link for description and mitigation.
https://logging.apache.org/log4j/2.x/security.html
Description Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.
This is to upgrade the log4j core version to a non-vulnerable version [ Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later)] as shown in mitigation steps on above page.
Note: Pull request $65 already exists to bump up the log4j version and is still open
References: https://logging.apache.org/log4j/2.x/security.html https://nvd.nist.gov/vuln/detail/CVE-2021-45105
Thanks.