Please update log4j2 dependencies to log4j 2.16

Rick978 · December 15, 2021, 3:46pm

It is not enough simply to add -Dlog4j2.formatMsgNoLookups=true. There are 2 problems:

This is needed because version 2.15 is still exploitable in certain non-default configurations, and this moderate-severity oversight has earned its own bug ID: CVE-2021-45046.

That release closed the hole (CVE-2021-44228) by disabling by default the Java library’s primarily exploitable functionality: JNDI message lookups. Now version 2.16 is out, and it disables all JNDI support by default, and removes message lookup handling entirely for good measure, hopefully finally preventing further exploitation.

https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/
https://www.theregister.com/2021/12/14/apache_log4j_2_16_jndi_disabled/

Rick978 · December 15, 2021, 3:46pm

And thanks for your fast and hard work.

jamjax · December 15, 2021, 10:53pm

I had put in a GitHub ticket before I realized that the forums are preferred. More detail here: github dot com /codelibs/fess/issues/2610

…uh, I guess I can’t post a link to github. So you’ll have to assemble that link yourself.

shinsuke · December 15, 2021, 11:49pm

Please see Log4j2 RCE Vulnerability for CVE-2021-44228
We will update it.

jamjax · December 16, 2021, 2:40am

Looks like codelibs is now including their own, patched version of log4j core in v13.15.3, so I think we’re in the clear with this new version.

Thanks, @shinsuke !

Refs:

github /codelibs/fess/releases/tag/fess-13.15.3
github /codelibs/fess/issues/2611
github /codelibs/fess/issues/2610