linux-announce AT lists.psi.ch
Subject: Linux Mailing List
List archive
- From: "Talamo Ivano Giuseppe (PSI)" <ivano.talamo AT psi.ch>
- To: "linux-announce AT lists.psi.ch" <linux-announce AT lists.psi.ch>
- Subject: [[Linux-announce] ] log4j vulnerability
- Date: Wed, 15 Dec 2021 13:39:57 +0000
- Accept-language: en-US, de-CH
- Authentication-results: mc2.ethz.ch; iprev=pass (psi-seppmail1.ethz.ch) smtp.remote-ip=129.132.93.141; spf=pass smtp.mailfrom=psi.ch; dmarc=skipped
Dear all,
This is a reminder about the log4j vulnerability and possible related mitigations and fixes.
The full reference document is the SNOW KB article: https://psi.service-now.com/nav_to.do?uri=%2Fkb_view.do%3Fsysparm_article%3DKB0003297
In general, it is not enough to check whether the rpm package is installed, since the affected code can be shipped together with some application in the form of a jar file
There's a tool at [1] that you can use to scan a system for affected log4j jar files.
Please consider that the tool only detects and fixes the log4j version 2 bug.
It could still be possible that you have software using log4j version 1, that also presents a vulnerability, although of moderate severity. A more detailed explanation and description of possibile mitigations are provided in [2,3].
Kind regards,
Ivano Talamo for the Linux team
[1] https://github.com/logpresso/CVE-2021-44228-Scanner/blob/main/README.md
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-4104
[3] https://access.redhat.com/security/cve/CVE-2021-4104
__________________________________________
Paul Scherrer Institut
Ivano Talamo
WHGA/038
Forschungsstrasse 111
5232 Villigen PSI
Schweiz
Telefon: +41 56 310 47 11
E-Mail: ivano.talamo AT psi.ch
-
[[Linux-announce] ] log4j vulnerability,
Talamo Ivano Giuseppe (PSI), 12/15/2021
- Re: [[Linux-announce] ] log4j vulnerability, Leonardo Sala, 12/16/2021
Archive powered by MHonArc 2.6.19.