CVE-2021-45046: Now everyone should update to Log4j 2.16
SanderH opened this issue · comments
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
Reset the patched software list and start all over again?
Link for further ref: https://access.redhat.com/security/cve/cve-2021-45046
the CVSS is 3/7 (moderate) so that is a tad lower than 10.0
moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
referent source: https://www.openwall.com/lists/oss-security/2021/12/14/4
Furthermore this CVE is included for already some of the scanner tools. Also Lunasec (the ones that brought out Log4shell in the first place AFAIK) wrote a recommendation to upgrade to 2.16 even when you upgraded to 2.15 already (see: https://www.lunasec.io/docs/blog/log4shell-live-patch/)
see releases of their scanner tool on: https://github.com/lunasec-io/lunasec/releases/
CVE-2021-45046 was raised to CVSS 9.0
Reference: https://logging.apache.org/log4j/2.x/security.html
Log4J version 2.17.0 is released.
Reference: https://logging.apache.org/log4j/2.x/security.html
Maybe adding a column to mark if a product/application applied version 2.17.0?
Thanks for your feedback. We've split out the different CVE's in columns on monday.