Re: [basex-talk] Log4j vulnerability CVE-2021-44228
> Waiting smugly, I gather ;-> ;) mostly because my last two days were completely taken up with client and user requests on log4j. A blog article on Open Source software and commercial users, worth reading: https://blog.filippo.io/professional-maintainers/ Jonathan Robie schrieb am Mo., 13. Dez. 2021, 19:08: > > > On Mon, Dec 13, 2021 at 10:18 AM Christian Grün > wrote: > >> I was waiting for that question ;) >> > > > Jonathan >
Re: [basex-talk] Log4j vulnerability CVE-2021-44228
On Mon, Dec 13, 2021 at 10:18 AM Christian Grün wrote: > I was waiting for that question ;) > Waiting smugly, I gather ;-> Jonathan
Re: [basex-talk] Log4j vulnerability CVE-2021-44228
Hi Christian, So you already knew :) Very glad to read your answer, the exploitation attempts are already showing up in the logs. thanks, this helps a lot, Marc On Mon, 13 Dec 2021, Christian Grün wrote: > Hi Marc, > > I was waiting for that question ;) > > All fine, BaseX uses a custom logger, as well as Jetty does [1,2]. > > You may need to check your setup, though, if you use Tomcat as web > server or any additional search index applications like Solr or > Elasticsearch. ES is only susceptible to information leak, not remote > code execution [3]. > > Hope this helps, > Christian > > [1] https://docs.basex.org/wiki/Logging > [2] > https://docs.huihoo.com/jetty/the-definitive-reference/configuring-logging.html > [3] > https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 > > > > On Mon, Dec 13, 2021 at 4:11 PM Marc Coenegracht wrote: > > > > Does Basex (9.x or 8.x) use Log4j in any of its components? > > If not, should one still worry about the JRE? > > > > > > Regards, > > Marc >
Re: [basex-talk] Log4j vulnerability CVE-2021-44228
Hi Marc, I was waiting for that question ;) All fine, BaseX uses a custom logger, as well as Jetty does [1,2]. You may need to check your setup, though, if you use Tomcat as web server or any additional search index applications like Solr or Elasticsearch. ES is only susceptible to information leak, not remote code execution [3]. Hope this helps, Christian [1] https://docs.basex.org/wiki/Logging [2] https://docs.huihoo.com/jetty/the-definitive-reference/configuring-logging.html [3] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 On Mon, Dec 13, 2021 at 4:11 PM Marc Coenegracht wrote: > > Does Basex (9.x or 8.x) use Log4j in any of its components? > If not, should one still worry about the JRE? > > > Regards, > Marc
[basex-talk] Log4j vulnerability CVE-2021-44228
Does Basex (9.x or 8.x) use Log4j in any of its components? If not, should one still worry about the JRE? Regards, Marc