[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Arne Vajhøj
arne at vajhoej.dk
Thu Dec 16 19:20:13 EST 2021
On 12/16/2021 5:47 PM, Craig A. Berry wrote:
> Note that log4j 2.16.0 has now been released to fix vulnerabilities
> still present in the 2.15.0 released a few days ago, and many of the
> mitigations published in the last week are now considered inadequate:
>
> <https://logging.apache.org/log4j/2.x/security.html>
Yes.
But the new one is not in the same category as the first.
<quote>
CVE-2021-45046
CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context
Lookup Pattern vulnerable to a denial of service attack.
Severity: Moderate
Base CVSS Score: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0
through 2.15.0
</quote>
vs
<quote>
CVE-2021-44228
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against
attacker controlled LDAP and other JNDI related endpoints.
Severity: Critical
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0
through 2.14.1
</quote>
Arne
More information about the Info-vax
mailing list