sesk 23 Posted December 18, 2021 Share Posted December 18, 2021 2.17 out today. https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/ I bet a 2.18 by next week 😅 W-S-K 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 18, 2021 Share Posted December 18, 2021 (edited) 2 hours ago, sesk said: 2.17 out today. https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/ Also of note: Quote Although Apache has officially released details on the upcoming 2.17.0 release so far, GitHub commits seen by BleepingComputer indicate a release 2.12.3 might also be on its way for those on the 2.12.x branch versions. Edited December 18, 2021 by itman Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 72 Posted December 21, 2021 ESET Insiders Share Posted December 21, 2021 https://www.darkreading.com/application-security/researchers-uncover-new-attack-vector-for-log4j-flaw Link to comment Share on other sites More sharing options...
bvj 1 Posted December 25, 2021 Share Posted December 25, 2021 (edited) On 12/13/2021 at 8:18 PM, Marcos said: Tomcat uses juli, not log4j: Tomcat uses log4j. You obviously don't know what you're talking about. Edited December 25, 2021 by Marcos Redacted Link to comment Share on other sites More sharing options...
mallard65 5 Posted December 25, 2021 Share Posted December 25, 2021 Hello. "As of Tomcat 5.5, Apache's Java Commons Logging (JCL) technology is used throughout Tomcat. JCL is a lightweight API for Java applications that allows hierarchical logging to be supported across all log levels, independent of logging implementation. This means that rather being limited to a specific hard-coded framework, you can choose the solution that works for you with only a small amount of extra configuration. ... The two most common logging implementations used for Tomcat - the included JULI implementation, and Log4j, a popular, feature-rich implementation compatible with JCL." https://www.mulesoft.com/tcat/tomcat-logging You can configure TOMCAT to use log4j but just stating that TOMCAT uses log4j is incorrect. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,069 Posted December 25, 2021 Administrators Share Posted December 25, 2021 2 hours ago, mallard65 said: You can configure TOMCAT to use log4j but just stating that TOMCAT uses log4j is incorrect. Correct. Also the screenshot in my post suggests that we use JULI in TOMCAT, not log4j. Link to comment Share on other sites More sharing options...
MrWrighty 6 Posted December 25, 2021 Share Posted December 25, 2021 2 hours ago, mallard65 said: Hello. "As of Tomcat 5.5, Apache's Java Commons Logging (JCL) technology is used throughout Tomcat. JCL is a lightweight API for Java applications that allows hierarchical logging to be supported across all log levels, independent of logging implementation. This means that rather being limited to a specific hard-coded framework, you can choose the solution that works for you with only a small amount of extra configuration. ... The two most common logging implementations used for Tomcat - the included JULI implementation, and Log4j, a popular, feature-rich implementation compatible with JCL." https://www.mulesoft.com/tcat/tomcat-logging You can configure TOMCAT to use log4j but just stating that TOMCAT uses log4j is incorrect. The use of TOMCAT in Eset products clearly states that that Juli is used and not log4j. It is irrelevant that TOMCAT can be configured to use log4j in this scenario. mallard65 1 Link to comment Share on other sites More sharing options...
mallard65 5 Posted December 25, 2021 Share Posted December 25, 2021 Hello @MrWrighty You are correct. I was making the point to @bvj that his statement "Tomcat uses log4j. You obviously don't know what you're talking about." is misleading and doesn't apply in this ESET situation. Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 28, 2021 Share Posted December 28, 2021 (edited) Quote Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832. Prior to today, 2.17.0 was the most recent version of Log4j and deemed the safest release to upgrade to, but that advice has now evolved. https://www.bleepingcomputer.com/news/security/log4j-2171-out-now-fixes-new-remote-code-execution-bug/ Edited December 28, 2021 by itman Link to comment Share on other sites More sharing options...
Recommended Posts