Yaga Posted December 17, 2021 Share Posted December 17, 2021 Forge updated to using Log4j 15.0 after the recent security exploits. however since then, its been discovered its still possible to steal data from your computer with that version of log4j. From the cyber security company Praetorian: https://www.praetorian.com/blog/log4j-2-15-0-stills-allows-for-exfiltration-of-sensitive-data/ ""The Apache Software Foundation announced a new vulnerability in Log4j – CVE-2021-45046 – on December 14th. The vulnerability as described states that Log4j 2.15.0 can allow a local Denial of Service attack, but that impacts are limited. However, in our research we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances. We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible.”" As you can see in this tweet, Forge updated to 2.15.0 which is still vulnerable, but did not update to 2.16.0 as of yet: Quote Link to comment Share on other sites More sharing options...
Yaga Posted December 17, 2021 Author Share Posted December 17, 2021 (edited) The Praetorian article was about a recent workaround that was discovered which still allows exfiltration of data in Log4j 15.0. Remote code execution is no longer possible. I want to make absolutely sure that Forge also addressed this newer workaround I'm not a cyber-security expert but I take what I read from Praetorian seriously. they recommended updating to log4j 16.0. Did forge also address this newer exfiltration of data exploit? Edited December 17, 2021 by Yaga fixing a typo Quote Link to comment Share on other sites More sharing options...
Yaga Posted December 17, 2021 Author Share Posted December 17, 2021 32 minutes ago, diesieben07 said: This is correct as far as I know. As such no action is needed. Alright. thanks for letting me know Still it wouldn't harm to update to Log4j 16.0 as recommended by cyber security experts at Praetorian Quote Link to comment Share on other sites More sharing options...
pheonic Posted December 17, 2021 Share Posted December 17, 2021 It seems that RCE is actually possible on version 2.15.0 according to apache (https://logging.apache.org/log4j/2.x/security.html) Not sure if this changes what was discussed earlier in the thread? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.