Home Original page

0-Day RCE in log4j, present in at least one package

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

Comment by loqs (loqs) - Saturday, 11 December 2021, 20:14 GMT

Comment by Justin Kromlinger (hashworks) - Sunday, 12 December 2021, 13:33 GMT

Regarding elasticsearch: I've implemented the linked patch in 7.10.2-2. It replaces `/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar` with `elasticsearch-log4j-7.10.2.jar`, which doesn't include the `JndiLookup.class`:
```
old/org/apache/logging/log4j/core/util/JndiCloser.class
old/org/apache/logging/log4j/core/selector/JndiContextSelector.class
old/org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class
old/org/apache/logging/log4j/core/net/JndiManager$1.class
old/org/apache/logging/log4j/core/net/JndiManager.class
old/org/apache/logging/log4j/core/lookup/JndiLookup.class <-----
new/org/apache/logging/log4j/core/util/JndiCloser.class
new/org/apache/logging/log4j/core/selector/JndiContextSelector.class
new/org/apache/logging/log4j/core/net/JndiManager.class
new/org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class
new/org/apache/logging/log4j/core/net/JndiManager$1.class
```

Comment by freswa (frederik) - Sunday, 12 December 2021, 14:09 GMT

ghidra is fixed with 10.1 in [community]

Comment by David Runge (dvzrv) - Sunday, 12 December 2021, 14:51 GMT

solr is fixed with 8.11.0-2 in [community]

Comment by Massimiliano Torromeo (mtorromeo) - Sunday, 12 December 2021, 16:47 GMT

logstash patched in 7.10.2-1

Comment by Massimiliano Torromeo (mtorromeo) - Sunday, 12 December 2021, 16:52 GMT

openfire updated to 4.6.5 which already uses log4j 2.15.0

Comment by Freedom Dev (FreedomDev) - Monday, 16 May 2022, 19:37 GMT

scanner: https://github.com/logpresso/CVE-2021-44228-Scanner
args:[--scan-log4j1 --scan-logback --scan-zip /]

netbeans 13-1 [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /usr/lib/netbeans/ide/modules/ext/log4j-1.2.15.jar, log4j 1.2.15
(https://blogs.apache.org/netbeans/entry/log4j-and-apache-netbeans)

jmol 14.32.55-1 [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /usr/share/jmol/JmolData.jar, log4j 1.2.14
jmol 14.32.55-1 [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /usr/share/jmol/Jmol.jar, log4j 1.2.14
(https://bugs.archlinux.org/task/74845)->(https://sourceforge.net/p/jmol/code/22275/)-OK

zaproxy 2.11.1-1 [*] Found CVE-2021-45046 (log4j 2.x) vulnerability in /usr/share/zaproxy/lib/log4j-core-2.15.0.jar, log4j 2.15.0
>fixed<

Comment by Leonidas Spyropoulos (inglor) - Wednesday, 18 May 2022, 23:52 GMT

zaproxy patched in 2.11.1-2 [community]

Comment by loqs (loqs) - Tuesday, 24 May 2022, 19:30 GMT

Loading...