Log4j RCE Found

[xyst]

This should be something that static code analyzers should pick up. If a dependency log4j dependency is <2.15, then it needs to be updated.

Just in time to ruin all of the reports project managers present to executives

[nick__m]

the vulnerable feature is not in log4j < 2.10

see https://github.com/apache/logging-log4j2/pull/608#issuecomme...

and you can just delete the affected class

[agwa]

> the vulnerable feature is not in log4j < 2.10

The comment you cited is referring to the option to disable the vulnerable feature, not the vulnerable feature itself.

Per https://github.com/apache/logging-log4j2/pull/608#issuecomme... even log4j 1.x is vulnerable.

[tmd83]

Does that mean it's only vulnerable if JMSAppender is used otherwise not? Which should at least be a rarer use case.

[philipwhiuk]

Log4J 1 is only vulnerable for JMS Log4J 2 is vulnerable < 2.15.0. There are mitigations for > 2.10.0 and > 2.7.0

[cesarb]

What I understood from that comment is that log4j 1.x is only vulnerable if you use the JMS Appender, which is probably not the most common configuration.

[nick__m]

please ignore my comment on the version, agwa is right, update the library or delete the vulnerable class.

[jpomykala]

“Also, we can't be sure about whole scenario. There're reports that indicates this RCE is still possible in 2.15+ RCs builds, so there is a chance there are also other gateways to achieve the same effect.”

[3boll]

They will :)