[CentOS] log4j cve

Tue Dec 14 15:20:23 UTC 2021
Simon Matter <simon.matter at invoca.ch>

> Hello Steve,
> Am 2021-12-14 14:14, schrieb Steve Clark:
>>  This is the standard version that comes with CentOS 7 and is the
>> latest available as of a yum update just now.
>> log4j-1.2.17-16.el7_4.noarch
> yes, that's correct, but it is abandoned nonetheless.
> According to the RPM's change log, Red Hat backported a fix for
> CVE-2017-5645.
> They have not done this for CVE-2019-17571 it seems.
> I would be very surprised if they'd do so now.

It seems CVE-2019-17571 is also covered by the fix for CVE-2017-5645: