CVE-2021-45046: Now everyone should update to Log4j 2.16

Question

CVE-2021-45046: Now everyone should update to Log4j 2.16

SanderH opened this issue 2 years ago · comments

SanderH commented 2 years ago

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Reset the patched software list and start all over again?

Goldshop · Answer 1 · Wed Dec 15 2021 18:57:08 GMT+0800 (China Standard Time)

Link for further ref: https://access.redhat.com/security/cve/cve-2021-45046

jberends · Answer 2 · Wed Dec 15 2021 22:30:04 GMT+0800 (China Standard Time)

the CVSS is 3/7 (moderate) so that is a tad lower than 10.0

moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

referent source: https://www.openwall.com/lists/oss-security/2021/12/14/4

Furthermore this CVE is included for already some of the scanner tools. Also Lunasec (the ones that brought out Log4shell in the first place AFAIK) wrote a recommendation to upgrade to 2.16 even when you upgraded to 2.15 already (see: https://www.lunasec.io/docs/blog/log4shell-live-patch/)

see releases of their scanner tool on: https://github.com/lunasec-io/lunasec/releases/

Peter · Answer 3 · Fri Dec 17 2021 17:08:49 GMT+0800 (China Standard Time)

CVE-2021-45046 was raised to CVSS 9.0
Reference: https://logging.apache.org/log4j/2.x/security.html

Pieter de Rijk · Answer 4 · Sun Dec 19 2021 00:31:50 GMT+0800 (China Standard Time)

Log4J version 2.17.0 is released.

Reference: https://logging.apache.org/log4j/2.x/security.html

Maybe adding a column to mark if a product/application applied version 2.17.0?

Maarten Aertsen · Answer 5 · Tue Dec 21 2021 20:46:53 GMT+0800 (China Standard Time)

Thanks for your feedback. We've split out the different CVE's in columns on monday.