You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by Juan Pablo Santos RodrÃguez <ju...@gmail.com> on 2021/12/13 22:24:34 UTC
[SECURITY] Apache JSPWiki affected by Apache Log4J CVE-2021-44228
Hi all,
apologies for the cross-posting, please see below notice on how to
mitigate recent Log4J's RCE on existing JSPWiki 2.11.0 installations.
*************************************************************************************
2021-12-13, Apache JSPWiki affected by Apache Log4J CVE-2021-44228
Severity: Critical
Versions Affected: 2.11.0
Description: Apache JSPWiki, 2.11.0 release is using a bundled version
of the Apache Log4J library vulnerable to Remote Code Execution. For
full impact and additional detail consult the Log4J security page.
Apache JSPWiki releases prior to 2.11.0 use Log4J 1.2.17 which may be
vulnerable for installations using non-default logging configurations
that include the JMS Appender, see
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
for discussion.
Mitigation: Any of the following are enough to prevent this
vulnerability for Apache JSPWiki installations:
* Upgrade to upcoming Apache JSPWiki 2.11.1, which will include an
updated version of the log4j2 dependency. Alternatively, you can build
2.11.1-git-02 from master branch which also includes the updated
dependency.
* Manually update the version of Log4J2 on your runtime classpath and
restart your JSPWiki application.
* Adding the -Dlog4j2.formatMsgNoLookups=true to the JVM launching the
application (f.ex., adding it to the CATALINA_OPTS variable under
tomcat).
As noted above, an upcoming release of Apache JSPWiki 2.11.1 with the
updated library is to be expected this week.
References: https://logging.apache.org/log4j/2.x/security.html
**************************************************************************************
best regards,
juan pablo