You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fortress@directory.apache.org by Shawn McKinney <sm...@apache.org> on 2021/12/12 21:16:03 UTC

CVE-2021-44228 mitigation procedures

Hello,

This contains mitigation procedures for a recent critical vulnerability discovered in Apache Log4j core.

If you are using Apache Fortress here are things you can do to prevent the exploit from occurring.

1. Use latest release 2.0.7.  Released today, it includes the patched log4j2 v2.15.0

If you can’t go to latest...

2. Update your pom.xml, to override any previous log4j2 to pull the latest:

```
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</dependency>

```

This will override any transitory dependencies to use this version.

Note:  Be sure to look at the libs your project pulls back during the build to verify it’s using v2.15.0.

3. Follow the guidelines laid out by the Apache Log4j project in their release announcement.

[[ANNOUNCEMENT] Apache Log4j 2.15.0 Released](http://mail-archives.apache.org/mod_mbox/www-announce/202112.mbox/%3CD88D40C5-8884-470E-8FA3-3B6D6899A7B0%40apache.org%3E)

***

That’s about it.  While this is a critical vulnerability, it’s entirely preventable by completing one of these steps.

You may contact me privately if concerned about leaking security details about your deployments, or reply on this mailing list with questions.

—
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: fortress-unsubscribe@directory.apache.org
For additional commands, e-mail: fortress-help@directory.apache.org

Re: CVE-2021-44228 mitigation procedures

Posted by Shawn McKinney <sm...@apache.org>.

> On Dec 12, 2021, at 3:16 PM, Shawn McKinney <sm...@apache.org> wrote:
> 
> 1. Use latest release 2.0.7.  Released today, it includes the patched log4j2 v2.15.0
> 
> If you can’t go to latest…

Clarification:

This vulnerability only applies to deployments that use Apache Fortress 2.0.6.

We migrated to use Apache Log4j2 just prior to that release, which means ONLY 2.0.6 is impacted.

Updated mitigation steps:

If you are using Apache Fortress 2.0.6, here are things you can do to prevent the exploit from occurring.

1. Use latest release 2.0.7.  Released today, it includes the patched log4j2 v2.15.0.

2. Use Apache Fortress release prior to 2.0.6.

If you must use Apache Fortress 2.0.6…

3. Update your pom.xml, to override any previous log4j2 to pull the latest:

```
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</dependency>

```

This will override any transitory dependencies to use this version.

Note:  Be sure to look at the libs your project pulls back during the build to verify it’s using v2.15.0.

4. Follow the guidelines laid out by the Apache Log4j project in their release announcement.

[[ANNOUNCEMENT] Apache Log4j 2.15.0 Released](http://mail-archives.apache.org/mod_mbox/www-announce/202112.mbox/%3CD88D40C5-8884-470E-8FA3-3B6D6899A7B0%40apache.org%3E)

—
Shawn

---------------------------------------------------------------------
To unsubscribe, e-mail: fortress-unsubscribe@directory.apache.org
For additional commands, e-mail: fortress-help@directory.apache.org