I see on CentOS 7 it has log4j-1.2.17… Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if something was backported to 1.2 ?
Thanks, Steve
9 thoughts on - Log4j Cve
Hello Steve,
Am 2021-12-14 13:42, schrieb Steve Clark via CentOS:
log4j Version 1.2 is definitely *NOT* OK to use.
The Apache website https://logging.apache.org/log4j/1.2/ says:
“On August 5, 2015 the Logging Services Project Management Committee
announced that Log4j 1.x had reached end of life.”
There is already an unpatched CVE from 2019 for log4j 1.2.
It’s really time to upgrade.
Kind regards,
Steve
Hello Steve,
Am 2021-12-14 13:42, schrieb Steve Clark via CentOS:
Hi List,
I see on CentOS 7 it has log4j-1.2.17… Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if something was backported to 1.2 ?
Thanks, Steve
log4j Version 1.2 is definitely *NOT* OK to use.
The Apache website https://logging.apache.org/log4j/1.2/ says:
“On August 5, 2015 the Logging Services Project Management Committee
announced that Log4j 1.x had reached end of life.”
There is already an unpatched CVE from 2019 for log4j 1.2.
It’s really time to upgrade.
Kind regards,
Steve
This is the standard version that comes with CentOS 7 and is the latest available as of a yum update just now. log4j-1.2.17-16.el7_4.noarch
Hello Steve,
Am 2021-12-14 14:14, schrieb Steve Clark:
yes, that’s correct, but it is abandoned nonetheless.
According to the RPM’s change log, Red Hat backported a fix for CVE-2017-5645. They have not done this for CVE-2019-17571 it seems. I would be very surprised if they’d do so now.
Kind regards,
Steve
Well, given that they indicated on their page for this CVE that they were still investigating the potential for the vulnerability existing in
1.2, it may happen.
It would be nice if there was a log4j-2 RPM available for C7, but as of this point, I’ve not been been able to locate one.
It seems CVE-2019-17571 is also covered by the fix for CVE-2017-5645:
According to https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
Redhat 7 is not impacted by this problem. This may still be something in flux. We are recoving all instances of log4j from our systems, the software using it is not important to us just a convience.
9 thoughts on - Log4j Cve
Hello Steve,
Am 2021-12-14 13:42, schrieb Steve Clark via CentOS:
log4j Version 1.2 is definitely *NOT* OK to use.
The Apache website https://logging.apache.org/log4j/1.2/ says:
“On August 5, 2015 the Logging Services Project Management Committee
announced that Log4j 1.x had reached end of life.”
There is already an unpatched CVE from 2019 for log4j 1.2.
It’s really time to upgrade.
Kind regards,
Steve
Hello Steve,
Am 2021-12-14 13:42, schrieb Steve Clark via CentOS:
Hi List,
I see on CentOS 7 it has log4j-1.2.17… Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if something was backported to 1.2 ?
Thanks, Steve
log4j Version 1.2 is definitely *NOT* OK to use.
The Apache website https://logging.apache.org/log4j/1.2/ says:
“On August 5, 2015 the Logging Services Project Management Committee
announced that Log4j 1.x had reached end of life.”
There is already an unpatched CVE from 2019 for log4j 1.2.
It’s really time to upgrade.
Kind regards,
Steve
This is the standard version that comes with CentOS 7 and is the latest available as of a yum update just now. log4j-1.2.17-16.el7_4.noarch
Hello Steve,
Am 2021-12-14 14:14, schrieb Steve Clark:
yes, that’s correct, but it is abandoned nonetheless.
According to the RPM’s change log, Red Hat backported a fix for CVE-2017-5645. They have not done this for CVE-2019-17571 it seems. I would be very surprised if they’d do so now.
Kind regards,
Steve
Well, given that they indicated on their page for this CVE that they were still investigating the potential for the vulnerability existing in
1.2, it may happen.
It would be nice if there was a log4j-2 RPM available for C7, but as of this point, I’ve not been been able to locate one.
It seems CVE-2019-17571 is also covered by the fix for CVE-2017-5645:
https://access.redhat.com/node/4677071
Regards, Simon
https://access.redhat.com/node/4677071According to that link CVE-2019-17571 is the same issue as CVE-2017-
5645 and both are listed as fixed in this errata:
https://access.redhat.com/errata/RHSA-2017:2423
So I think it’s fixed. Best regards, markus
According to https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
Redhat 7 is not impacted by this problem. This may still be something in flux. We are recoving all instances of log4j from our systems, the software using it is not important to us just a convience.
Stuart
Zitat von Steve Meier:
Tools
alle Links ohne Prüfung auf Inhalt und Qualität
https://log4shell.huntress.com/ (Quelle Sven Kuhnert)
https://therecord.media/log4j-zero-day-gets-security-fix-just-as-scans-for-vulnerable-systems-ramp-up/
Anwendung BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-12 2129 UTC · GitHub
https://logging.apache.org/log4j/2.x/security.html
Presse https://www.heise.de/news/Log4j-2-16-0-verbessert-Schutz-vor-Log4Shell-Luecke-6294053.html
https://www.golem.de/news/log4j-luecke-warum-log4shell-so-gefaehrlich-ist-und-was-nicht-hilft-2112-161757-4.html
Hinweis: In den Kommentaren zu den Artikeln finden sich Einschätzungen
und Hinweise neuste Artikel oben
https://www.heise.de/ratgeber/Schutz-vor-schwerwiegender-Log4j-Luecke-was-jetzt-hilft-und-was-nicht-6292961.html
https://www.golem.de/news/log4shell-bsi-vergibt-hoechste-warnstufe-fuer-log4j-luecke-2112-161734.html
https://www.spiegel.de/netzwelt/web/log4j-luecke-bundesbehoerden-von-schwerer-it-schwachstelle-betroffen-a-6cb889d2-ba8d-48f8-a27a-f923bf11b563
https://www.spiegel.de/netzwelt/web/log4-j-schwachstelle-ja-leute-die-scheisse-brennt-lichterloh-a-760bd03d-42d2-409c-a8d2-d5b13a9150fd
https://www.spiegel.de/netzwelt/web/bundesbehoerde-warnt-vor-schwachstelle-in-weit-verbreiteter-software-a-55bc413b-2e01-446c-8ee6-5fabfee3b0f2
fachliche Quellen https://www.heise.de/news/Kritische-Zero-Day-Luecke-in-log4j-gefaehrdet-zahlreiche-Server-und-Apps-6291653.html
https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2021/12/warnmeldung_cb-k21-1264.html?nn=520170
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=3
Apache Releases Log4j Version 2.15.0 to Address Critical RCE
Vulnerability Under Exploitation | CISA
Java-Schwachstelle Log4Shell – Was passiert ist und was zu tun ist –
Sophos News
Log4Shell explained – how it works, why you need to know, and how to
fix it – Naked Security (sophos.com)
Zitat von Ralf Prengel:
Sorry, cut & paste error.
Ralf