B4J Question Log4j exploit warning (December 2021)

tchart · Dec 10, 2021

In case anyone is using log4j you should upgrade ASAP

Log4j RCE 0-day actively exploited | CERT NZ

An unauthenticated RCE vulnerability in the commonly used Log4j java library is being actively exploited.

www.cert.govt.nz

EnriqueGonzalez · Dec 10, 2021

It is indeed ubiquitous that library

avalle · Dec 10, 2021

More info here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and here: https://logging.apache.org/log4j/2.x/security.html

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

b4x-de · Dec 13, 2021

Is B4JServer using Log4j?

avalle · Dec 13, 2021

jServer is based on Jetty. It provides logging via its own org.eclipse.jetty.util.log.Logger layer, and does not natively use any existing Java logging framework.
See https://docs.huihoo.com/jetty/the-definitive-reference/configuring-logging.html

b4x-de · Dec 13, 2021

I'm glad about this. Thanks. I was asking because B4JServer uses mchange-commons and it contains Log4J classes in com.mchange.v2.log

Chris2 · Dec 14, 2021

It's been deemed serious enough to warrant a BBC article as well - https://www.bbc.co.uk/news/technology-59638308

aeric · May 10, 2022

b4x-de said:
it contains Log4J classes in com.mchange.v2.log

jServer.xml:

<dependsOn>mchange-commons-java-0.2.11</dependsOn>

https://mvnrepository.com/artifact/com.mchange/mchange-commons-java/0.2.11

While this dependency is using Log4j 1.x and reported with a vulnerability CVE-2017-5929, it is not same as the vulnerabilities affected from Log4j 2.x CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228. Keep our finger crossed.

B4J Question Log4j exploit warning (December 2021)

tchart

Well-Known Member

Log4j RCE 0-day actively exploited | CERT NZ

EnriqueGonzalez

Expert

avalle

Active Member

b4x-de

Active Member

avalle

Active Member

b4x-de

Active Member

Chris2

Active Member

aeric

Expert

Similar Threads

B4J Question Log4j exploit warning (December 2021)

Well-Known Member

Expert

Active Member

Active Member

Active Member

Active Member

Active Member

Expert

Similar Threads

Privacy & Transparency

Privacy & Transparency