Open ertugrulturan opened 5 months ago
@h-mdm Any chance you can take a look at https://reload4j.qos.ch/?
It should be a drop in replacement for log4j 1.2.17, so you don't need to update the code base. The vuln is quite dangerous so it would be great to just have this as a quick fix for now.
I have implemented an exploit of CVE-2021-44228 mentioned in https://www.lunasec.io/docs/blog/log4j-zero-day/, and it didn't work. The line ${jndi:ldap://127.0.0.1/a} is logged as it is, no attempt to remote access by JNDI is done. So I believe the vulnerability CVE-2021-44228 is not applicable for Headwind MDM (probably because only text loggers are used).
I still think it is pretty bad to keep using this old version though. It is not the only known CVE for it. I don't see any harm in at bumping to reload4j. The MDM is security critical so I'd prefer if theres no known vulnerable dependencies.
I'd like to add that I scanned the dependences and there are a lot of known vulnerabilities as well. Some are several years old. The log4j is just the most iffy one.
Thank you for the info, will work on that.
Log4j 1.2 to 1.2.17
https://logging.apache.org/log4j/1.x/ <- eol + vulned version