On 12/14/21 8:07 AM, Steve Meier wrote:

Hello Steve,

Am 2021-12-14 13:42, schrieb Steve Clark via CentOS:

Hi List,

I see on CentOS 7 it has log4j-1.2.17... Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if something was backported to 1.2 ?

Thanks, Steve

log4j Version 1.2 is definitely *NOT* OK to use.

The Apache website https://logging.apache.org/log4j/1.2/ says: "On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life."

There is already an unpatched CVE from 2019 for log4j 1.2.

It's really time to upgrade.

Kind regards, Steve

This is the standard version that comes with CentOS 7 and is the latest available as of a yum update just now. log4j-1.2.17-16.el7_4.noarch

-- Stephen Clark NetWolves Managed Services, LLC. Sr. Applications Architect

Email Confidentiality Notice: The information contained in this transmission may contain privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties. If you have received this transmission in error, please contact the sender immediately and delete this email and any attachments from any computer. Vaso Corporation and its subsidiary companies are not responsible for data leaks that result from email messages received that contain privileged and confidential and/or protected health information (PHI).

On 2021-12-14 08:31, Steve Meier wrote:

Hello Steve,

Am 2021-12-14 14:14, schrieb Steve Clark:

...

This is the standard version that comes with CentOS 7 and is the latest available as of a yum update just now. log4j-1.2.17-16.el7_4.noarch

yes, that's correct, but it is abandoned nonetheless.

According to the RPM's change log, Red Hat backported a fix for CVE-2017-5645. They have not done this for CVE-2019-17571 it seems. I would be very surprised if they'd do so now.

Well, given that they indicated on their page for this CVE that they were still investigating the potential for the vulnerability existing in 1.2, it may happen.

It would be nice if there was a log4j-2 RPM available for C7, but as of this point, I've not been been able to locate one.

On Tue, 2021-12-14 at 14:31 +0100, Steve Meier wrote:

Hello Steve,

Am 2021-12-14 14:14, schrieb Steve Clark:

...

This is the standard version that comes with CentOS 7 and is the latest available as of a yum update just now. log4j-1.2.17-16.el7_4.noarch

yes, that's correct, but it is abandoned nonetheless.

According to the RPM's change log, Red Hat backported a fix for CVE-2017-5645. They have not done this for CVE-2019-17571 it seems. I would be very surprised if they'd do so now.

https://access.redhat.com/node/4677071According to that link CVE-2019-17571 is the same issue as CVE-2017- 5645 and both are listed as fixed in this errata: https://access.redhat.com/errata/RHSA-2017:2423

So I think it's fixed. Best regards, markus

Zitat von Ralf Prengel ralf.prengel@rprengel.de:

Tools

alle Links ohne Prüfung auf Inhalt und Qualität

https://log4shell.huntress.com/ (Quelle Sven Kuhnert)

https://therecord.media/log4j-zero-day-gets-security-fix-just-as-scans-for-v...

Sorry, cut & paste error.

Ralf