The officially official Devuan Forum!

You are not logged in.

#1 2022-04-21 10:57:08

Altoid
Member
Registered: 2017-05-07
Posts: 1,045  

Log4j vulnerabilty - Yet again

Hello:

For those who have not purged log4j from their systems:

Originally mentioned here (late December 2021) at Dev1 by hevidevi here ...

https://dev1galaxy.org/viewtopic.php?id=4715

... and then press here:

https://www.theregister.com/2022/03/16/ … net_log4j/

We now have this:

https://www.theregister.com/2022/04/20/ … j_patches/

Jessica Lyons Hardcastle @ The Register wrote:

Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation.

The vulnerabilities introduced by Amazon's Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity bugs rated 8.8 out of 10 on the CVSS.

A.

Last edited by Altoid (2022-04-21 10:57:51)

Offline

#2 2022-04-25 13:33:12

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 2,326  

Re: Log4j vulnerabilty - Yet again

So they fixed the bug with patches that introduced more bugs? Isn't software great! I'm beginning to think Sturgeon was an optimist...


To obtain a root shell use su -. Using just su will result in "command not found" messages.

Offline

#3 2022-04-25 13:59:36

Altoid
Member
Registered: 2017-05-07
Posts: 1,045  

Re: Log4j vulnerabilty - Yet again

Hello:

Head_on_a_Stick wrote:

... fixed the bug with patches that introduced more bugs?

Yes ...
Which would mean that maybe they really didn't fix anything.

ie: just made it worse.

Fortunately I was able to purge that from my box.

Best,

A.

Offline

Board footer