B4J Question Log4j exploit warning (December 2021)

[tchart]

In case anyone is using log4j you should upgrade ASAP

Log4j RCE 0-day actively exploited | CERT NZ

An unauthenticated RCE vulnerability in the commonly used Log4j java library is being actively exploited.

www.cert.govt.nz

 

[EnriqueGonzalez]

It is indeed ubiquitous that library

 

[avalle]

More info here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and here: https://logging.apache.org/log4j/2.x/security.html

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

 

[b4x-de]

Is B4JServer using Log4j?

 

[avalle]

jServer is based on Jetty. It provides logging via its own org.eclipse.jetty.util.log.Logger layer, and does not natively use any existing Java logging framework.
See https://docs.huihoo.com/jetty/the-definitive-reference/configuring-logging.html

 

[b4x-de]

I'm glad about this. Thanks. I was asking because B4JServer uses mchange-commons and it contains Log4J classes in com.mchange.v2.log

 

[Chris2]

It's been deemed serious enough to warrant a BBC article as well - https://www.bbc.co.uk/news/technology-59638308

 

[aeric]

it contains Log4J classes in com.mchange.v2.log

<dependsOn>mchange-commons-java-0.2.11</dependsOn>

https://mvnrepository.com/artifact/com.mchange/mchange-commons-java/0.2.11

While this dependency is using Log4j 1.x and reported with a vulnerability CVE-2017-5929, it is not same as the vulnerabilities affected from Log4j 2.x CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228. Keep our finger crossed.