Madsonic Newsletter 01/2022
Posted: 22 Jan 2022, 16:17
Dear Madsonic Community
Log4j: about vulnerability
Log4j is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency.
In December 2021, a number of vulnerabilities were reported in Log4j:
CVE-2021-44228 - referred to as the "Log4shell" vulnerability, affects Log4j versions 2.0-beta9 to 2.14.1. It allows remote code execution and information disclosure if exploited.
CVE-2021-45046 - affects versions 2.0-beta9 to 2.15.0, excluding 2.12.2 and was originally reported as a Denial of Service when organisations are running a vulnerable non-standard configuration. Later research found that the same vulnerable configuration allowed a bypass of the mitigations to Log4shell, allowing remote code execution and information disclosure.
CVE-2021-45105 - affects Log4j versions from 2.0-beta9 to 2.16.0 – A similar denial of service issue to CVE-2021-45046 when organisations are running a vulnerable non-standard configuration.
CVE-2021-44832 - Remote code execution vulnerability affecting Log4j2 versions 2.0-beta7 through 2.17.0, excluding security fixes for 2.3.2 and 2.12.4. (Fixed by upgrading to 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
https://logging.apache.org/log4j/2.x/security.html
Updates
Madsonic does not use the log4j-core 2.x implementation, only the non-vulnerable 1.x API implementation was used.
However, as a precaution, all dependent libraries in Madsonic 5/6/7 have been updated.
Info
Madsonic updates will be released after testing on 01/24/2022
https://www.madsonic.org/pages/download.jsp
best regards,
The Madsonic Team