You are not logged in.
- Topics: Active | Unanswered
#1 2022-04-21 10:57:08
- Altoid
- Member
- Registered: 2017-05-07
- Posts: 1,581
Log4j vulnerabilty - Yet again
Hello:
For those who have not purged log4j from their systems:
Originally mentioned here (late December 2021) at Dev1 by hevidevi here ...
https://dev1galaxy.org/viewtopic.php?id=4715
... and then press here:
https://www.theregister.com/2022/03/16/ … net_log4j/
We now have this:
https://www.theregister.com/2022/04/20/ … j_patches/
Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation.
The vulnerabilities introduced by Amazon's Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity bugs rated 8.8 out of 10 on the CVSS.
A.
Last edited by Altoid (2022-04-21 10:57:51)
Offline
#2 2022-04-25 13:33:12
- Head_on_a_Stick
- Member
- From: London
- Registered: 2019-03-24
- Posts: 3,125
- Website
Re: Log4j vulnerabilty - Yet again
So they fixed the bug with patches that introduced more bugs? Isn't software great! I'm beginning to think Sturgeon was an optimist...
Brianna Ghey — Rest In Power
Offline
#3 2022-04-25 13:59:36
- Altoid
- Member
- Registered: 2017-05-07
- Posts: 1,581
Re: Log4j vulnerabilty - Yet again
Hello:
... fixed the bug with patches that introduced more bugs?
Yes ...
Which would mean that maybe they really didn't fix anything.
ie: just made it worse.
Fortunately I was able to purge that from my box.
Best,
A.
Offline
