Start a conversation

Security Update - Apache Log4j high vulnerability (CVE-2021-45105)

XPLG Security Update

Recently we have published patch 8067 that migrates all used Log4j libraries within XPLG to Apache Log4j2 version 2.16.0.

Apache published a new announcement, about another Log4j high vulnerability (CVE-2021-45105). Apache announced that Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack. 


Given Apache latest announcement, patch 8069 is now available to migrate all used libraries to Apache Log4j2 version 2.17.0.

Additional information and detailed update procedure:

https://wiki.xpolog.com/display/XPOL/7.8069+(Log4J)+-+Release+Notes

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. XPLG Team

  2. Posted

Comments