-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log4j Vuln #94
Comments
@h-mdm Any chance you can take a look at https://reload4j.qos.ch/? It should be a drop in replacement for log4j 1.2.17, so you don't need to update the code base. The vuln is quite dangerous so it would be great to just have this as a quick fix for now. |
I have implemented an exploit of CVE-2021-44228 mentioned in https://www.lunasec.io/docs/blog/log4j-zero-day/, and it didn't work. The line ${jndi:ldap://127.0.0.1/a} is logged as it is, no attempt to remote access by JNDI is done. So I believe the vulnerability CVE-2021-44228 is not applicable for Headwind MDM (probably because only text loggers are used). |
I still think it is pretty bad to keep using this old version though. It is not the only known CVE for it. I don't see any harm in at bumping to reload4j. The MDM is security critical so I'd prefer if theres no known vulnerable dependencies. |
I'd like to add that I scanned the dependences and there are a lot of known vulnerabilities as well. Some are several years old. The log4j is just the most iffy one. |
Thank you for the info, will work on that. |
Log4j 1.2 to 1.2.17
https://logging.apache.org/log4j/1.x/ <- eol + vulned version
The text was updated successfully, but these errors were encountered: