Log4j Critical Vulnerability - Remote Code Injection

Question

Log4j Critical Vulnerability - Remote Code Injection

jekhokie opened this issue 3 years ago · 2 comments

Based on GHSA-jfh8-c2jp-5v3q:
"Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser."
In addition, according to CVE-2021-4104, Log4j 1.2 is subject to similar RCE when JMSAppenders are used, and Log4j 1.x is well out of support at this time.

It's advised to migrate to Log4j 2.16.0 at this time. Based on the severity of the issue, request that this be dealt with via a backport approach if at all possible. Would it be possible to migrate to Log4j 2.16.0 to mitigate the risk to anyone using this application?

Thank you!

Answer 1 · 2022-01-05T16:09:38.000Z

You can follow this PR : confluentinc/common#403 which will be included in 5.5.8 release

Answer 2 · 2022-01-11T01:39:33.000Z

Please see https://support.confluent.io/hc/en-us/articles/4412615410580-December-2021-Log4j-Vulnerabilities-Advisory