Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubi

[Bill Ross <ross@xxxxxxxxxxxx>]

One needs to check *all* jars too. I notice that the c3p0 db connection pool package uses a lib (by the same author) called mchange-commons that incorporates log4j:

https://github.com/swaldman/mchange-commons-java/tree/master/src/main/java/com/mchange

$ jar tf ...jar

com/mchange/v2/log/log4j2/MLogAppender.class
com/mchange/v2/log/log4j/Log4jMLog$Log4jMLogger.class
com/mchange/v2/log/log4j2/Log4j2MLog$Log4jMLogger.class
com/mchange/v2/log/log4j2/Log4j2MLog.class

In case anyone else is concerned. I haven't had time to do more than verify I can't get a side effect from outside my site.

Bill

On 12/16/21 5:26 AM, Joakim Erdfelt wrote:

You have 2 recent CVEs for Log4j 2.x to be aware of - CVE-2021-44228 and CVE-2021-45046.

Both of these are currently resolved by simple upgrading to Log4j2 2.16.0

Log4j 1.x was EOL in August 2015 and now has an ever growing post-EOL CVE list, it's use in production is not recommended anymore.

As Simone pointed out, Jetty has never had a dependency on log4j, any version.

If you are using log4j, then you added it to your own copy of Jetty.

Upgrading log4j, or deciding to switch to a different logging implementation (logback, java.util.logging, etc) will have zero impact on Jetty itself.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Dec 16, 2021 at 12:57 AM Kumar, Amit (Noida) via jetty-dev <jetty-dev@xxxxxxxxxxx> wrote:

 

Hi Team,

 

We are using Below jar provided by you. We want to ensure and know if it is impacted by “Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)”. If it’s impacted please let us know about the security recommendation. To know we are looking for following answer

 

Jars:

jetty-4.2.19 4.2.19

jetty-continuation-7.5.4.v20111024 7.5.4

jetty-http-7.5.4.v20111024 7.5.4

jetty-security-7.5.4.v20111024 7.5.4

jetty-util-7.5.4.v20111024 7.5.4

jetty-io-7.5.4.v20111024 7.5.4

jetty-server-7.5.4.v20111024 7.5.4

 

 

Are you using log4J?

If you are using log4j 1.x version, are you using JMSAppender class

if you are using log4j 2.x are , what is your security recommendation to fix the issue

 

 

Thanks and regards,

 

Amit Kumar

Tech Lead, Software Development Engineering

Financial & Risk Management Solutions

Mobile: +91-9990094588

Upcoming R&R:

Fiserv

Helping Small Businesses Get Back2Business
Fiserv | Join Our Team | Twitter | LinkedIn | Facebook
FORTUNE World's Most Admired Companies®
2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021

© 2021 Fiserv Inc. or its affiliates. Fiserv is a registered trademark of Fiserv Inc. Privacy Notice
© 2021 Fortune Media IP Limited. Used under license. 

 

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

--
Phobrain.com