Re: [jetty-users] [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubi

[Bill Ross <ross@xxxxxxxxxxxx>]

> it's possible to set up your particular Jetty-installation in a way 
that uses log4j with corresponding consequences.

Even if you haven't used log4j recently, it WAS possible for the whole 
window of vulnerability, so one needs to check what was in service the 
whole period, and assume records of intrusion may have been removed and 
trojans placed if you were open.

Bill


On 12/20/21 2:01 AM, Lothar Kimmeringer wrote:
> Am 18.12.2021 um 00:16 schrieb Simone Bordet:
> > On Fri, Dec 17, 2021 at 11:29 AM Lothar Kimmeringer 
> > <job@xxxxxxxxxxxxxx> wrote:
> > > Am 16.12.2021 um 14:26 schrieb Joakim Erdfelt:
> > >
> > > > As Simone pointed out, Jetty has never had a dependency on log4j, 
> > > > any version.
> > > > If you are using log4j, then you added it to your own copy of Jetty.
> > >
> > > While the statement is true it might be worth mentioning that
> > > Jetty could use log4j indirectly if log4j has been configured
> > > to be SLF4J's backend logging framework and Jetty has been
> > > configured to use Slf4jLog and/or Slf4jRequestLogWriter.
> > >
> > > Especially if Jetty is embedded into a larger application, this
> > > scenario isn't that far fetched.
> >
> > You are right that this scenario is possible, but there is nothing
> > that we can do about it.
> > We don't have to release a new version of Jetty to patch anything,
> > because there is nothing to patch on the Jetty side.
>
> No demand on my side for something like this. I'm only suggesting
> to stop statements like "never had a dependency on log4j" while
> the actual codebase of Jetty allows you to configure exactly that.
> At least amend the statement that while Jetty uses its own
> logging framework so a _standard installation_ of Jetty isn't
> vulnerable, it's possible to set up your particular Jetty-installation
> in a way that uses log4j with corresponding consequences.
>
> > Sure people will need to carefully review their dependencies,
> > recursively, and whether they have configured Jetty (or some other
> > library) with Log4J, and we wrote a generic how-to for how to deal
> > with some of these cases (again we cannot cover them all) in this
> > blog:
> > https://webtide.com/jetty-log4j2-exploit-cve-2021-44228/
>
> You might update it to the most current version of log4j (2.17.0)
> because the mentioned version has vulnerabilities as well.
>
>
> Cheers, Lothar
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> To unsubscribe from this list, visit 
> https://www.eclipse.org/mailman/listinfo/jetty-users
--
Phobrain.com