[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Arne Vajhøj
arne at vajhoej.dk
Mon Dec 20 14:14:57 EST 2021
On 12/20/2021 2:00 PM, Simon Clubley wrote:
> On 2021-12-17, Arne Vajhøj <arne at vajhoej.dk> wrote:
>> They have now updated the severity to:
>>
>> CVE-2021-45046 Remote Code Execution
>> Severity Critical
>> Base CVSS Score 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
>> Versions Affected All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2
>>
>
> Perhaps we should just wait for version 2.40.0 to be released, which
> will probably be in a couple of weeks at this rate. :-)
>
> For anyone not aware, there is now a third CVE:
>
> https://www.theregister.com/2021/12/19/log4j_new_flaw_cve_2021_45105/
>
> The latest Log4j version is now 2.17.0.
(Hoff already mentioned that one)
CVE-2021-45105:
Apache Log4j2 does not always protect from infinite recursion in lookup
evaluation
CVE-2021-45105 Denial of Service
Severity High
Base CVSS Score 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Versions Affected All versions from 2.0-beta9 to 2.16.0
Arne
More information about the Info-vax
mailing list