Apache Log4j2 <=2.14.1

Hello everyone just woke up to NVD - CVE-2021-44228 which is causing quite a causing a stir on the Internet. It could be of interest to the community as we are using Java and maybe Log4j2 widely. cc @MekomSolutions @AMPATH @ibacher @dkayiwa

3 Likes

Absolutely @achachiez. We believe this impacts platform v 2.4.0 and 2.4.1.

Our security group started unpacking this at midnight EAT today and started reaching out to implementations who may have the issue. At this point, @ibacher reckons that fixing it should be a matter of ensuring Tomcat is run with -Dlog4j2.formatMsgNoLookups=true.

We will follow up ASAP with a more detailed community security advisory.

Update: Community Security Advisory posted here: Urgent Security Advisory 2021-12-11 (re Apache Log4j 2)

(To keep things in one place please use that thread for questions or public discussion.)

Special kudos to you @achachiez; even though we were already investigating this your action in raising this was great.