Forge needs to update to using Log4j 16.0 instead of 15.0. Forge might still be vulnerable

[Yaga]

Forge updated to using Log4j 15.0 after the recent security exploits. however since then, its been discovered its still possible to steal data from your computer with that version of log4j.
From the cyber security company Praetorian:
https://www.praetorian.com/blog/log4j-2-15-0-stills-allows-for-exfiltration-of-sensitive-data/

""The Apache Software Foundation announced a new vulnerability in Log4j – CVE-2021-45046 – on December 14th. The vulnerability as described states that Log4j 2.15.0 can allow a local Denial of Service attack, but that impacts are limited. However, in our research we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances. We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible.”"

As you can see in this tweet, Forge updated to 2.15.0 which is still vulnerable, but did not update to 2.16.0 as of yet:

[Yaga]

The Praetorian article was about a recent workaround that was discovered which still allows exfiltration of data in Log4j 15.0.
Remote code execution is no longer possible. I want to make absolutely sure that Forge also addressed this newer workaround 

I'm not a cyber-security expert but I take what I read from Praetorian seriously. they recommended updating to log4j 16.0.
Did forge also address this newer exfiltration of data exploit? 

Edited December 17, 2021 by Yaga
fixing a typo

[Yaga]

32 minutes ago, diesieben07 said:

This is correct as far as I know. As such no action is needed.

Alright. thanks for letting me know
Still it wouldn't harm to update to Log4j 16.0 as recommended by cyber security experts at Praetorian

[pheonic]

It seems that RCE is actually possible on version 2.15.0 according to apache (https://logging.apache.org/log4j/2.x/security.html)

Not sure if this changes what was discussed earlier in the thread?