Regression: 2.4.1 and 2.5.3 detect but cannot mitigate log4j 2.16 in Oracle SQL Developer distribution.

logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228

Apache License 2.0

852 stars 173 forks source link

Regression: 2.4.1 and 2.5.3 detect but cannot mitigate log4j 2.16 in Oracle SQL Developer distribution. #201

Closed RoguishSmurf closed 2 years ago

RoguishSmurf commented 2 years ago

Version 2.4.0 detected and mitigated log4j 2.16 in latest Oracle SQL Developer sqldeveloper-21.4.1.349.1822-x64. Versions 2.4.1 and 2.5.3 both detect the 2.16 vulnerability but do not mitigate it.

xeraph commented 2 years ago

@RoguishSmurf v2.4.0 behavior is bug. 2.16.0 should be upgraded to 2.17.0. DoS cannot be fixed by removing JndiLookup.class.

RoguishSmurf commented 2 years ago

Thank you for the rapid response.