Hello everyone just woke up to https://nvd.nist.gov/vuln/detail/CVE-2021-44228 which is causing quite a causing a stir on the Internet. It could be of interest to the community as we are using Java and maybe Log4j2 widely. cc @Mekom @AMPATH @ibacher @dkayiwa
3 Likes
Absolutely @achachiez. We believe this impacts platform v 2.4.0 and 2.4.1.
Our security group started unpacking this at midnight EAT today and started reaching out to implementations who may have the issue. At this point, @ibacher reckons that fixing it should be a matter of ensuring Tomcat is run with -Dlog4j2.formatMsgNoLookups=true.
We will follow up ASAP with a more detailed community security advisory.
Update: Community Security Advisory posted here: Urgent Security Advisory 2021-12-11 (re Apache Log4j 2)
(To keep things in one place please use that thread for questions or public discussion.)
Special kudos to you @achachiez; even though we were already investigating this your action in raising this was great.