-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-44228 #628
Comments
Same question here. The log4j version with 2.0.0 is log4j-1.2.17.jar, which itself is no longer supported according to I'm taking down the app until we get some certainty around this issue. |
@mattronix according to https://groups.google.com/g/pwm-general/c/mjf4fEzz0b0 pwm is not affected cause it uses even older log4j lib :\ |
PWM (all versions) uses log4j v1, which is not affected by this CVE. Though the deprecated v1 is used, as far as I'm aware the configuration and libraries used are not affected by older v1 CVEs. Unfortunately, updating to v2 is not trivial. It was attempted and ultimately abandoned because v2's feature bloat and complexity made it not a good fit for PWM and would have required substantial rewrite of code and change of features. There is an ongoing effort to replace log4j with slf4j/logback. |
Appreciate your work on this tool. It has been very useful to our organization. Unfortunately, we will have to decommission its use until the Log4j is updated to at least 2.16+ or replaced with slf4j/logback. Our security dept. is not allowing the older 1.2.x |
v2.0.2 release replaces log4j with reload4j. This doesn't fix any security issues (there aren't any with our usage of log4j), but it may make your scanners happier. (commit 3a3c137) |
Hello Team,
we see log4j in the code base, not super savy with Java but could you confirm if the software is at risk of https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java (CVE-2021-44228)?
The text was updated successfully, but these errors were encountered: