New info this morning regaridng log4J. Version 2.15, included in the recent JAMF patch, is still vulnerable. When is a patch incoming?
CVE-2021-45046 was originally believed to allow a denial of service in Log4J 2.15.0 if certain non-default configurations were used. Security researchers have since found ways to leverage this vulnerability to allow remote code execution.
Additional research on Log4J 2.15.0 also showed that previous mitigations (specifically setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true) did not provide sufficient protection as there are still code paths in Log4J where message lookups could occur.
Solved! Go to Solution.