[NEWSboard IBMi Forum]
Seite 2 von 2 Erste 1 2
  1. #13
    Registriert seit
    Aug 2021
    Beiträge
    6
    Hallo Zusammen,

    anbei noch eine Information von der Fa. HCL, welche wir im Zuammenhang mit unserer
    GEDYS Intraware-Software erhalten haben:

    Die Schwachstelle tritt ausschließlich in den Versionen 2.x kleiner/gleich 2.14.1 der Java-Logging-Bibliothek Log4j auf.
    Bibliothjekn der Version 1 sind, nach allen uns vorliegenden Informationen NICHT betroffen ist, da die angreifbaren Funktionen in diesen Versionen noch gar nicht integriert waren.
    In diesem Fall scheint es mal besser zu sein, nicht die aktuellste Version installiert zu haben.

    Grüße
    Volker

  2. #14
    Registriert seit
    Aug 2001
    Beiträge
    2.644
    Aktualisierte Info für Leute, die Workarounds suchen

    CVE-2021-44228

    CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

    Severity: Critical

    Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.14.1
    Description

    In Apache Log4j2 versions up to and including 2.14.1 (excluding security release 2.12.2), the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
    Mitigation

    Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

    Log4j 2.x mitigation: Implement one of the mitigation techniques below.

    Java 8 (or later) users should upgrade to release 2.16.0.
    Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).

    Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

    Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
    www.RZKH.de
    IBM Champion 2022, 2023, 2024
    IBM i Community Advocate https://www.youracclaim.com/badges/6...c-7ad4ba147af6
    Common / CEAC
    http://pub400.com

Similar Threads

  1. Sicherheitslücke *ALLOBJ
    By Fuerchau in forum IBM i Hauptforum
    Antworten: 8
    Letzter Beitrag: 07-04-03, 15:05
  2. Sicherheitslücke?
    By Olli in forum IBM i Hauptforum
    Antworten: 4
    Letzter Beitrag: 28-05-01, 10:20

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • You may not post attachments
  • You may not edit your posts
  •