Thanks Joakim,
The class names are the same, and I hadn't looked at the code yet.
It also seemed to explain why this java startup arg doesn't cause an
error with no log4j jar in my classpath:
‐Dlog4j2.formatMsgNoLookups=True
Bill
On 12/16/21 1:05 PM, Joakim Erdfelt wrote:
Bill,
That doesn't look like log4j itself, merely an integration layer for
using log4j with that project.
Joakim Erdfelt / [email protected] <mailto:[email protected]>
On Thu, Dec 16, 2021 at 2:43 PM Bill Ross via jetty-users
<[email protected] <mailto:[email protected]>> wrote:
One needs to check *all* jars too. I notice that the c3p0 db
connection pool package uses a lib (by the same author) called
mchange-commons that incorporates log4j:
https://github.com/swaldman/mchange-commons-java/tree/master/src/main/java/com/mchange
<https://github.com/swaldman/mchange-commons-java/tree/master/src/main/java/com/mchange>
$ jar tf ...jar
com/mchange/v2/log/log4j2/MLogAppender.class
com/mchange/v2/log/log4j/Log4jMLog$Log4jMLogger.class
com/mchange/v2/log/log4j2/Log4j2MLog$Log4jMLogger.class
com/mchange/v2/log/log4j2/Log4j2MLog.class
In case anyone else is concerned. I haven't had time to do more
than verify I can't get a side effect from outside my site.
Bill
On 12/16/21 5:26 AM, Joakim Erdfelt wrote:
You have 2 recent CVEs for Log4j 2.x to be aware of
- CVE-2021-44228 and CVE-2021-45046.
Both of these are currently resolved by simple upgrading to
Log4j2 2.16.0
Log4j 1.x was EOL in August 2015 and now has an ever growing
post-EOL CVE list, it's use in production is not recommended anymore.
As Simone pointed out, Jetty has never had a dependency on log4j,
any version.
If you are using log4j, then you added it to your own copy of Jetty.
Upgrading log4j, or deciding to switch to a different logging
implementation (logback, java.util.logging, etc) will have zero
impact on Jetty itself.
Joakim Erdfelt / [email protected] <mailto:[email protected]>
On Thu, Dec 16, 2021 at 12:57 AM Kumar, Amit (Noida) via
jetty-dev <[email protected] <mailto:[email protected]>>
wrote:
Hi Team,
We are using Below jar provided by you. We want to ensure and
know if it is impacted by “Apache Log4j Tool : Zero Day in
Ubiquitous Under Active Attack (CVE-2021-44228)”. If it’s
impacted please let us know about the security
recommendation. To know we are looking for following answer
Jars:
jetty-4.2.19 4.2.19
jetty-continuation-7.5.4.v20111024 7.5.4
jetty-http-7.5.4.v20111024 7.5.4
jetty-security-7.5.4.v20111024 7.5.4
jetty-util-7.5.4.v20111024 7.5.4
jetty-io-7.5.4.v20111024 7.5.4
jetty-server-7.5.4.v20111024 7.5.4
Are you using log4J?
If you are using log4j 1.x version, are you using JMSAppender
class
if you are using log4j 2.x are , what is your security
recommendation to fix the issue
Thanks and regards,
*Amit Kumar*
*Tech Lead, Software Development Engineering*
Financial & Risk Management Solutions
Mobile: +91-9990094588
Upcoming R&R:
*Fiserv *
*Helping Small Businesses Get**Back2Business
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_RZ22cy4q6bM8_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=R-6lvnOhG5fnONNKZPmlgec0f7YBuuiH45dZ4t9Y3X4&e=>*
Fiserv
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_X677F3dKx8Tx_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=NGFO_LDQrhMwepNez_lhHhtYeLweF4IK5nDNtCpnCic&e=>
| Join Our Team
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_j9LLfXwgErFR_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=AovzNmRVWUIYoZzsyaRayRoSza5FiHf_XI4QYRFpUKQ&e=>
| Twitter
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_bxXXB-2DpG2wfb_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=C131Xh7_qy_-NgY7CtUnhDREDFghFEQXaGsNPSbLZQw&e=>
| LinkedIn
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_z9-5F-5FfAx8R-7EBm_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=nur3UqZMYo9u9wV8r9dN7NTf7ruHik2RoHJBApj4rBQ&e=>
| Facebook
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_ebwwFvy-7EgkQ7_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=hd3ZCW13ah-YOC_rC0AZIjDWrL_h6jiYvxFA2dPfi_c&e=>
FORTUNE *World's Most Admired Companies®*
2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021
© 2021 Fiserv Inc. or its affiliates. Fiserv is a registered
trademark of Fiserv Inc. Privacy Notice
<https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_w-5F33sEW2jps3_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=aSztimCBadAn9CoDhVg4wBWZM1vKatItDvP9Kz3EvC4&e=>
© 2021 Fortune Media IP Limited. Used under license.
_______________________________________________
jetty-dev mailing list
[email protected] <mailto:[email protected]>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev
<https://www.eclipse.org/mailman/listinfo/jetty-dev>
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/jetty-users
<https://www.eclipse.org/mailman/listinfo/jetty-users>
--
Phobrain.com
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
<https://www.eclipse.org/mailman/listinfo/jetty-users>
--
Phobrain.com
_______________________________________________
jetty-users mailing list
[email protected]
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
