Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)

There is a new Log4J CVE, everyone using log4j needs to upgrade to 2.17.0 now.

https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Fri, Dec 17, 2021 at 5:16 PM Simone Bordet <sbordet@xxxxxxxxxxx> wrote:
Hi,

On Fri, Dec 17, 2021 at 11:29 AM Lothar Kimmeringer <job@xxxxxxxxxxxxxx> wrote:
> Am 16.12.2021 um 14:26 schrieb Joakim Erdfelt:
>
> > As Simone pointed out, Jetty has never had a dependency on log4j, any version.
> > If you are using log4j, then you added it to your own copy of Jetty.
>
> While the statement is true it might be worth mentioning that
> Jetty could use log4j indirectly if log4j has been configured
> to be SLF4J's backend logging framework and Jetty has been
> configured to use Slf4jLog and/or Slf4jRequestLogWriter.
>
> Especially if Jetty is embedded into a larger application, this
> scenario isn't that far fetched.

You are right that this scenario is possible, but there is nothing
that we can do about it.
We don't have to release a new version of Jetty to patch anything,
because there is nothing to patch on the Jetty side.

Sure people will need to carefully review their dependencies,
recursively, and whether they have configured Jetty (or some other
library) with Log4J, and we wrote a generic how-to for how to deal
with some of these cases (again we cannot cover them all) in this
blog:
https://webtide.com/jetty-log4j2-exploit-cve-2021-44228/

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top