Hacker News new | past | comments | ask | show | jobs | submit login

This should be something that static code analyzers should pick up. If a dependency log4j dependency is <2.15, then it needs to be updated.

Just in time to ruin all of the reports project managers present to executives




the vulnerable feature is not in log4j < 2.10

see https://github.com/apache/logging-log4j2/pull/608#issuecomme...

and you can just delete the affected class


> the vulnerable feature is not in log4j < 2.10

The comment you cited is referring to the option to disable the vulnerable feature, not the vulnerable feature itself.

Per https://github.com/apache/logging-log4j2/pull/608#issuecomme... even log4j 1.x is vulnerable.


Does that mean it's only vulnerable if JMSAppender is used otherwise not? Which should at least be a rarer use case.


Log4J 1 is only vulnerable for JMS Log4J 2 is vulnerable < 2.15.0. There are mitigations for > 2.10.0 and > 2.7.0


What I understood from that comment is that log4j 1.x is only vulnerable if you use the JMS Appender, which is probably not the most common configuration.


please ignore my comment on the version, agwa is right, update the library or delete the vulnerable class.


“Also, we can't be sure about whole scenario. There're reports that indicates this RCE is still possible in 2.15+ RCs builds, so there is a chance there are also other gateways to achieve the same effect.”


They will :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: