![]() Also, make sure that web application ports are restricted to IP addresses for sysadmins only. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version 2.15 or below to be compromised and allow an attacker to execute arbitrary code on the vulnerable server. ![]() If you are concerned with this CVE, we recommend that your security team manually verify whether they can reproduce the vulnerability. The Apache Log4j 2 utility is an open source Apache framework that is a commonly used component for logging requests. CVE-2022-33915: Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. First disclosed on 9 December 2021, the zero-day vulnerability in the ubiquitous Java logger Log4j 2, known as Log4Shell, sent shockwaves throughout the information security industry as businesses and other organisations scrambled to patch the much-feared flaw. Packaged as a traditional WAR (we are using a Spring bootable JAR) The vulnerability is linked to a commonly used piece of software called Log4j, a utility that runs in the background of many commonly used software applications. Affected users are recommended to update to Log4j 2.x.SFTP Gateway does not match the following conditions: Please see more details on CVE-2021-44228. Use Spring framework versions 5.3.0 to 5.3.17 (we use 5.3.12) What is the Log4j vulnerability As reported by ArsTechnica, a zero-day vulnerability was discovered in the Apache Log4j logging library that enables attackers. As you may be aware, there has been a 0-day discovery in Log4j2, the Java Logging library, that could result in Remote Code Execution (RCE) if an affected version of log4j (2.0 2.15.0) logs an attacker-controlled string value without proper validation.Log4j is a commonly used logging library made by the Apache Software Foundation that is used in countless applications across the world. SFTP Gateway matches the following conditions: On December 9, 2021, a vulnerability for Log4j was publicly released. Versions and CVE conditionsįor an application to be vulnerable, it would have to match several conditions outlined in the Spring advisory. Also, we were not able to reproduce the vulnerability in our initial testing of this CVE. This applies to Spring (Java) applications under specific circumstances.Īlthough our product is a Spring application written in Java, SFTP Gateway does not meet the conditions of this CVE (e.g. Spring4shell is a remote command execution (RCE) vulnerability (CVE-2022-22965). Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services.
0 Comments
Leave a Reply. |