Incomplete fix for Apache Log4j vulnerability #248

rama280290 · 2024-04-09T13:51:07Z

https://github.com/elastic/ecs-logging-java/blob/-/log4j2-legacy-tests/pom.xml

The fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.

jackshirazi · 2024-04-09T15:23:10Z

Thanks, per the name log4j2-legacy-tests this module only has test code (only src/test/java/... exists in that module) for legacy log4j versions, and is never deployed other than to CI to run tests. The actual log4j dependency in log4j2-ecs-layout/pom.xml is already on 2.17.1

github-actions bot added agent-java community Issues and PRs created by the community triage Issues and PRs that need to be triaged labels Apr 9, 2024

jackshirazi closed this as completed Apr 9, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Incomplete fix for Apache Log4j vulnerability #248

Incomplete fix for Apache Log4j vulnerability #248

rama280290 commented Apr 9, 2024

jackshirazi commented Apr 9, 2024

Incomplete fix for Apache Log4j vulnerability #248

Incomplete fix for Apache Log4j vulnerability #248

Comments

rama280290 commented Apr 9, 2024

jackshirazi commented Apr 9, 2024