Summary: | dev-java/log4j: remote code execution | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED OBSOLETE | ||
Severity: | major | CC: | carlphilippreh, java |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/apache/logging-log4j2/pull/608 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=829192 | ||
Whiteboard: | C1 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 829192 | ||
Bug Blocks: | 828837 |
Description
John Helmert III
2021-12-10 02:36:54 UTC
I think this only affects 2.x. (In reply to Sam James from comment #1) > I think this only affects 2.x. https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 "Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. [snip] CORRECTION: log4j 1.x contains a JMS Appender which can use JNDI. So I would say that, yes, log4j 1.x is also impacted by this vulnerability (Thank you @garydgregory for pointing this out)." (In reply to John Helmert III from comment #2) > (In reply to Sam James from comment #1) > > I think this only affects 2.x. > > https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 > > "Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. [snip] > CORRECTION: log4j 1.x contains a JMS Appender which can use JNDI. So I would > say that, yes, log4j 1.x is also impacted by this vulnerability (Thank you > @garydgregory for pointing this out)." Well, seems like the impact in 1.x is limited to DoS (maybe?) based on https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301. (In reply to John Helmert III from comment #3) > (In reply to John Helmert III from comment #2) > > (In reply to Sam James from comment #1) > > > I think this only affects 2.x. > > > > https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 > > > > "Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. [snip] > > CORRECTION: log4j 1.x contains a JMS Appender which can use JNDI. So I would > > say that, yes, log4j 1.x is also impacted by this vulnerability (Thank you > > @garydgregory for pointing this out)." > > Well, seems like the impact in 1.x is limited to DoS (maybe?) based on > https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301. Actually, RCE in non-default configuration: https://www.openwall.com/lists/oss-security/2021/12/13/1 The affected package is last-rited, see https://bugs.gentoo.org/829192#c1 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e55b6f037bdb41eae1559ecb953865d39a71105e commit e55b6f037bdb41eae1559ecb953865d39a71105e Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2022-05-04 08:11:29 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2022-05-04 08:13:46 +0000 dev-java/log4j: treeclean Bug: https://bugs.gentoo.org/828657 Bug: https://bugs.gentoo.org/719146 Bug: https://bugs.gentoo.org/829192 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> dev-java/log4j/Manifest | 1 - dev-java/log4j/log4j-1.2.17-r3.ebuild | 70 ----------------------------------- dev-java/log4j/metadata.xml | 12 ------ profiles/package.mask | 6 --- 4 files changed, 89 deletions(-) commit e55b6f037bdb41eae1559ecb953865d39a71105e Author: Jakov Smolić <jsmolic@gentoo.org> Date: Wed May 4 10:11:29 2022 +0200 dev-java/log4j: treeclean |