Yaga

Alright. thanks for letting me know Still it wouldn't harm to update to Log4j 16.0 as recommended by cyber security experts at Praetorian

The Praetorian article was about a recent workaround that was discovered which still allows exfiltration of data in Log4j 15.0. Remote code execution is no longer possible. I want to make absolutely sure that Forge also addressed this newer workaround I'm not a cyber-security expert but I take what I read from Praetorian seriously. they recommended updating to log4j 16.0. Did forge also address this newer exfiltration of data exploit?

Forge updated to using Log4j 15.0 after the recent security exploits. however since then, its been discovered its still possible to steal data from your computer with that version of log4j. From the cyber security company Praetorian: https://www.praetorian.com/blog/log4j-2-15-0-stills-allows-for-exfiltration-of-sensitive-data/ ""The Apache Software Foundation announced a new vulnerability in Log4j – CVE-2021-45046 – on December 14th. The vulnerability as described states that Log4j 2.15.0 can allow a local Denial of Service attack, but that impacts are limited. However, in our research we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances. We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible.”" As you can see in this tweet, Forge updated to 2.15.0 which is still vulnerable, but did not update to 2.16.0 as of yet: