Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05NGc3LWhwdjgtaDlxbc0bRQ
Remote code injection in Log4j
Impact
Logging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input.
More Details:
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
Patches
Version 1.11.1 of the Splunk Logging for Java library.
There is also a backport to version 1.6.2 released as a patch: 1.6.2-0-0.
Workarounds
If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set on both client- and server-side components.
References
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
For more information
If you have any questions or comments about this advisory:
- Open an issue in https://github.com/splunk/splunk-library-javalogging/issues
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05NGc3LWhwdjgtaDlxbc0bRQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-94g7-hpv8-h9qm
References:
- https://github.com/splunk/splunk-library-javalogging/security/advisories/GHSA-94g7-hpv8-h9qm
- https://github.com/advisories/GHSA-94g7-hpv8-h9qm
Blast Radius: 1.0
Affected Packages
maven:com.splunk.logging:splunk-library-javalogging
Affected Version Ranges: < 1.11.1Fixed in: 1.11.1