The officially official Devuan Forum!

You are not logged in.

#1 2022-04-21 10:57:08

Altoid
Member
Registered: 2017-05-07
Posts: 1,581  

Log4j vulnerabilty - Yet again

Hello:

For those who have not purged log4j from their systems:

Originally mentioned here (late December 2021) at Dev1 by hevidevi here ...

https://dev1galaxy.org/viewtopic.php?id=4715

... and then press here:

https://www.theregister.com/2022/03/16/ … net_log4j/

We now have this:

https://www.theregister.com/2022/04/20/ … j_patches/

Jessica Lyons Hardcastle @ The Register wrote:

Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation.

The vulnerabilities introduced by Amazon's Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity bugs rated 8.8 out of 10 on the CVSS.

A.

Last edited by Altoid (2022-04-21 10:57:51)

Offline

#2 2022-04-25 13:33:12

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Log4j vulnerabilty - Yet again

So they fixed the bug with patches that introduced more bugs? Isn't software great! I'm beginning to think Sturgeon was an optimist...


Brianna Ghey — Rest In Power

Offline

#3 2022-04-25 13:59:36

Altoid
Member
Registered: 2017-05-07
Posts: 1,581  

Re: Log4j vulnerabilty - Yet again

Hello:

Head_on_a_Stick wrote:

... fixed the bug with patches that introduced more bugs?

Yes ...
Which would mean that maybe they really didn't fix anything.

ie: just made it worse.

Fortunately I was able to purge that from my box.

Best,

A.

Offline

Board footer