Log4j Arbitary Remote Code Execution Vulnerablity (CVE-2021-44228)

Question

Log4j Arbitary Remote Code Execution Vulnerablity (CVE-2021-44228)

SnowyJune678 opened this issue 3 years ago · 1 comments

The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.15.0.

Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host.
-logging.apache.org

I have yet to find or test specific attack vectors in the freeciv-web project, or its downstream forks.

Additional information:
https://www.lunasec.io/docs/blog/log4j-zero-day/
GHSA-jfh8-c2jp-5v3q

Answer 1 · 2022-06-15T18:41:17.000Z

Can you please close this? @cazfi