documentation is unclear. Which version of the 20.05 KM contains the Apache Log4j 2.17.1 patch?
May 19, 2022 11:17
Krutarth Mohakud
HiEllen Coleman , Good to see you again. This patch 2 version contains Apache Log4j 2.17.1 and as you know, it's associated with CVE number. Thanks
Jun 01, 2022 06:20
Ellen Coleman
Hey Krutarth - The CVE # mentioned in the doc was resolved in 2.17.0. => Fixed in Log4j 2.17.0 (Java 8), 2.12.3 (Java 7) and 2.3.1 (Java 6) CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
The CVE # addressed in 2.17.1 is different. => Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
I think it would be better to refer to the Apache Log4j version in the doc to avoid any confusion.
Comments
documentation is unclear. Which version of the 20.05 KM contains the Apache Log4j 2.17.1 patch?
HiEllen Coleman , Good to see you again. This patch 2 version contains Apache Log4j 2.17.1 and as you know, it's associated with CVE number. Thanks
Hey Krutarth - The CVE # mentioned in the doc was resolved in 2.17.0. => Fixed in Log4j 2.17.0 (Java 8), 2.12.3 (Java 7) and 2.3.1 (Java 6) CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
The CVE # addressed in 2.17.1 is different. => Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
I think it would be better to refer to the Apache Log4j version in the doc to avoid any confusion.
Thanks, Ellen
Log in or register to comment.