[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)
|
Hi,
On Thu, Dec 16, 2021 at 7:57 AM Kumar, Amit (Noida) via jetty-dev
<jetty-dev@xxxxxxxxxxx> wrote:
> Hi Team,
>
> We are using Below jar provided by you. We want to ensure and know if it is impacted by “Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)”. If it’s impacted please let us know about the security recommendation. To know we are looking for following answer
> Jars:
>
> jetty-4.2.19 4.2.19
> jetty-continuation-7.5.4.v20111024 7.5.4
> jetty-http-7.5.4.v20111024 7.5.4
> jetty-security-7.5.4.v20111024 7.5.4
> jetty-util-7.5.4.v20111024 7.5.4
> jetty-io-7.5.4.v20111024 7.5.4
> jetty-server-7.5.4.v20111024 7.5.4
Jetty 7.5.4 is from October 2011, more than 10 years ago.
If you are worried about the recent Log4j2 vulnerability, be aware
that because using a Jetty version from 10 years ago you are probably
vulnerable to many other CVEs.
Jetty 4.2.19 is fossilized, but glad it's still working for you!
I would suggest you update your systems to a recent Jetty version,
either from the 9.4.x series or the 10.0.x/11.0.x series.
In any case, Jetty 7 was not using Log4j2.
If you have added a dependency on Log4j2 with your usage of Jetty 7,
just update to Log4j2 to 2.16.0 or later.
--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
