Jump to content

Forge needs to update to using Log4j 16.0 instead of 15.0. Forge might still be vulnerable


Recommended Posts

Posted

Forge updated to using Log4j 15.0 after the recent security exploits. however since then, its been discovered its still possible to steal data from your computer with that version of log4j.
From the cyber security company Praetorian:
https://www.praetorian.com/blog/log4j-2-15-0-stills-allows-for-exfiltration-of-sensitive-data/

""The Apache Software Foundation announced a new vulnerability in Log4j – CVE-2021-45046 – on December 14th. The vulnerability as described states that Log4j 2.15.0 can allow a local Denial of Service attack, but that impacts are limited. However, in our research we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances. We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible.”"

As you can see in this tweet, Forge updated to 2.15.0 which is still vulnerable, but did not update to 2.16.0 as of yet:

Posted (edited)

The Praetorian article was about a recent workaround that was discovered which still allows exfiltration of data in Log4j 15.0.
Remote code execution is no longer possible. I want to make absolutely sure that Forge also addressed this newer workaround 

I'm not a cyber-security expert but I take what I read from Praetorian seriously. they recommended updating to log4j 16.0.
Did forge also address this newer exfiltration of data exploit? 

Edited by Yaga
fixing a typo
Posted
32 minutes ago, diesieben07 said:

This is correct as far as I know. As such no action is needed.

Alright. thanks for letting me know
Still it wouldn't harm to update to Log4j 16.0 as recommended by cyber security experts at Praetorian

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Announcements



×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.