Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)


On Thu, Dec 16, 2021 at 7:57 AM Kumar, Amit (Noida) via jetty-dev
<jetty-dev@xxxxxxxxxxx> wrote:
> Hi Team,
> We are using Below jar provided by you. We want to ensure and know if it is impacted by “Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)”. If it’s impacted please let us know about the security recommendation. To know we are looking for following answer
> Jars:
> jetty-4.2.19 4.2.19
> jetty-continuation-7.5.4.v20111024 7.5.4
> jetty-http-7.5.4.v20111024 7.5.4
> jetty-security-7.5.4.v20111024 7.5.4
> jetty-util-7.5.4.v20111024 7.5.4
> jetty-io-7.5.4.v20111024 7.5.4
> jetty-server-7.5.4.v20111024 7.5.4

Jetty 7.5.4 is from October 2011, more than 10 years ago.
If you are worried about the recent Log4j2 vulnerability, be aware
that because using a Jetty version from 10 years ago you are probably
vulnerable to many other CVEs.

Jetty 4.2.19 is fossilized, but glad it's still working for you!

I would suggest you update your systems to a recent Jetty version,
either from the 9.4.x series or the 10.0.x/11.0.x series.

In any case, Jetty 7 was not using Log4j2.

If you have added a dependency on Log4j2 with your usage of Jetty 7,
just update to Log4j2 to 2.16.0 or later.

Simone Bordet
Developer advice, training, services and support
from the Jetty & CometD experts.

Back to the top