After
CVE-2021-44228 we now have a new related vulnerability
CVE-2021-45046.
This last CVE shows that Log4j version 2.15 is still vulnerable with certain attack variants. Even with -Dlog4j2.formatMsgNoLookups=true .
So it seems really paramount that organisations need to start patching their servers with the latest Log4j 2.16 version, which disables the attack vector completely (jndi is disabled by default).
So to summarise the situation:
- Updating your JVM to a specific version doesn't help. Log4j 2.x in every JVM version is vulnerable.
- setting -Dlog4j2.formatMsgNoLookups=true will NOT block all attack variants
- log4j 2.15 is still vulnerable, update to version 2.16.
So if you run any recent version of Servoy (8.4 and up) you can replace the log4j jars with the
latest ones from apache.orgIf you use SmartClient you still need to code sign these jars, for Web- and NgClient deployments this is not really necessary.
The InfoSec community is reporting that after coin miners and malware to make your server be part of botnets (Mirai and others) they now see that attackers are loading
ransomware and remote access tools .
@servoy maybe you need to send out an updated adviserary email.
On a lighter note. Today I learned that Log4j is pronounced 'Log Forge', not 'Log Four Jay' or any other variation.
Maybe we should rename ServoyForge to Servoy4j
On an even lighter note (but is it really?) I leave you with this (
credit):
- IMG_4825.JPG (229.2 KiB) Viewed 35588 times