Hi Andrew,
Thank you for letting us know.
Rob spotted that the log4j project security page has been updated:
https://logging.apache.org/log4j/2.x/security.html
revising it to critical 9/10
We've already started a vote on Jena 4.3.2 with log4j 2.16.0.
https://lists.apache.org/thread/tj0mo24g8jvfr02964nww96ckfvxnhjm
(we are not bypassing the need to have the proper votes for a release)
Very few changes in 4.3.2 but - bonus prize! - JENA-2215 (make sure
logging is in the war file) is included.
Andy
On 17/12/2021 21:33, Andrii Berezovskyi wrote:
Hello Andy,
I hate to be the bearer of bad news, but in a recent discussion on Lobsters [1] it was
brought to my attention that there apparently exists a bypass [2] of the fix in 2.15.0
that brings back the RCE. To be clear, the new exploit no longer requires fiddling with
the Thread Context Map settings. The CVE page [3] now says "This vulnerability has
been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may
result in further changes to the information provided.", which means that the
original score 3.7/10 no longer applies to the new CVE.
Harri, the WAR file of the 4.3.1 was missing log4j JARs and I had success
simply placing 2.16.0 JARs myself. You should be able to use that as a
temporary mitigation until the new version comes out.
/Andrew
[1]:
https://lobste.rs/s/ccc9tu/patch_fixing_critical_log4j_0_day_has_its#c_c2syst
[2]:
https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/#update-the-localhost-bypass-was-discovered
[3]: https://nvd.nist.gov/vuln/detail/CVE-2021-45046