[CentOS] log4j cve

Tue Dec 14 13:41:43 UTC 2021
Mike Burger <mburger at bubbanfriends.org>

On 2021-12-14 08:31, Steve Meier wrote:
> Hello Steve,
> 
> Am 2021-12-14 14:14, schrieb Steve Clark:
>>  This is the standard version that comes with CentOS 7 and is the
>> latest available as of a yum update just now.
>> log4j-1.2.17-16.el7_4.noarch
> 
> yes, that's correct, but it is abandoned nonetheless.
> 
> According to the RPM's change log, Red Hat backported a fix for 
> CVE-2017-5645.
> They have not done this for CVE-2019-17571 it seems.
> I would be very surprised if they'd do so now.

Well, given that they indicated on their page for this CVE that they 
were still investigating the potential for the vulnerability existing in 
1.2, it may happen.

It would be nice if there was a log4j-2 RPM available for C7, but as of 
this point, I've not been been able to locate one.

-- 
Mike Burger
http://www.bubbanfriends.org

"It's always suicide-mission this, save-the-planet that. No one ever 
just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1