Skip to content

Remote code injection in Log4j

Critical severity GitHub Reviewed Published Dec 14, 2021 in splunk/splunk-library-javalogging • Updated Jan 9, 2023

Package

maven com.splunk.logging:splunk-library-javalogging (Maven)

Affected versions

< 1.11.1

Patched versions

1.11.1

Description

Impact

Logging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input.

More Details:
GHSA-jfh8-c2jp-5v3q

Patches

Version 1.11.1 of the Splunk Logging for Java library.

There is also a backport to version 1.6.2 released as a patch: 1.6.2-0-0.

Workarounds

If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set on both client- and server-side components.

References

GHSA-jfh8-c2jp-5v3q

For more information

If you have any questions or comments about this advisory:

References

@fantavlik fantavlik published to splunk/splunk-library-javalogging Dec 14, 2021
Reviewed Dec 14, 2021
Published to the GitHub Advisory Database Dec 14, 2021
Last updated Jan 9, 2023

Severity

Critical

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-94g7-hpv8-h9qm

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.