Jump to content

Log4J Vulnerability

stereo_grabb
 Share

Recommended Posts

itman

itman 1,659

Posted
Posted (edited)
2 hours ago, sesk said:

2.17 out today.

https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/

Also of note:

Quote

Although Apache has officially released details on the upcoming 2.17.0 release so far, GitHub commits seen by BleepingComputer indicate a release 2.12.3 might also be on its way for those on the 2.12.x branch versions.

log4j 2.17.0 and 2.12.3 release notes

 

 
Edited by itman
Link to comment
Share on other sites
bvj

bvj 1

Posted
Posted (edited)
On 12/13/2021 at 8:18 PM, Marcos said:

 Tomcat uses juli, not log4j:

Tomcat uses log4j. 

You obviously don't know what you're talking about.

Edited by Marcos
Redacted
Link to comment
Share on other sites
mallard65

mallard65 5

Posted
Posted

Hello.

"As of Tomcat 5.5, Apache's Java Commons Logging (JCL) technology is used throughout Tomcat.  JCL is a lightweight API for Java applications that allows hierarchical logging to be supported across all log levels, independent of logging implementation.  This means that rather being limited to a specific hard-coded framework, you can choose the solution that works for you with only a small amount of extra configuration.

... The two most common logging implementations used for Tomcat - the included JULI implementation, and Log4j, a popular, feature-rich implementation compatible with JCL."

https://www.mulesoft.com/tcat/tomcat-logging

You can configure TOMCAT to use log4j but just stating that TOMCAT uses log4j is incorrect.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,069

Posted
  • Administrators
Posted
2 hours ago, mallard65 said:

You can configure TOMCAT to use log4j but just stating that TOMCAT uses log4j is incorrect.

Correct. Also the screenshot in my post suggests that we use JULI in TOMCAT, not log4j.

Link to comment
Share on other sites
MrWrighty

MrWrighty 6

Posted
Posted
2 hours ago, mallard65 said:

Hello.

"As of Tomcat 5.5, Apache's Java Commons Logging (JCL) technology is used throughout Tomcat.  JCL is a lightweight API for Java applications that allows hierarchical logging to be supported across all log levels, independent of logging implementation.  This means that rather being limited to a specific hard-coded framework, you can choose the solution that works for you with only a small amount of extra configuration.

... The two most common logging implementations used for Tomcat - the included JULI implementation, and Log4j, a popular, feature-rich implementation compatible with JCL."

https://www.mulesoft.com/tcat/tomcat-logging

You can configure TOMCAT to use log4j but just stating that TOMCAT uses log4j is incorrect.

The use of TOMCAT in Eset products clearly states that that Juli is used and not log4j. It is irrelevant that TOMCAT can be configured to use log4j in this scenario. 

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
Quote

Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832.

Prior to today, 2.17.0 was the most recent version of Log4j and deemed the safest release to upgrade to, but that advice has now evolved.

https://www.bleepingcomputer.com/news/security/log4j-2171-out-now-fixes-new-remote-code-execution-bug/

Edited by itman
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...