Another JAMF Update incoming? Log4J 2.15 still vulnerable

pjdoll
New Contributor

New info this morning regaridng log4J.  Version 2.15, included in the recent JAMF patch, is still vulnerable.  When is a patch incoming?

 

Event Impact:

CVE-2021-45046 was originally believed to allow a denial of service in Log4J 2.15.0 if certain non-default configurations were used. Security researchers have since found ways to leverage this vulnerability to allow remote code execution.

 

Additional research on Log4J 2.15.0 also showed that previous mitigations (specifically setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true) did not provide sufficient protection as there are still code paths in Log4J where message lookups could occur.

 

References:

https://logging.apache.org/log4j/2.x/security.html

1 ACCEPTED SOLUTION
3 REPLIES 3

tender
New Contributor II

Came here looking for an answer to this.

tend·er (tĕn′dər) noun: One who tends something.

pjdoll
New Contributor

Thanks JAMF for the timely update (updated on Friday).  Accepted solution.