brooklin icon indicating copy to clipboard operation
brooklin copied to clipboard
verified publisher icon linkedin

Log4j Critical Vulnerability - Remote Code Injection

Open jekhokie opened this issue 4 years ago • 1 comments

Based on GHSA-jfh8-c2jp-5v3q "Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser." In addition, according to CVE-2021-4104, Log4j 1.2 is subject to similar RCE when JMSAppenders are used, and Log4j 1.x is well out of support at this time.

It's advised to migrate to Log4j 2.16.0 at this time. Based on the severity of the issue, request that this be dealt with via a backport approach if at all possible. Would it be possible to migrate to Log4j 2.16.0 to mitigate the risk to anyone using this application?

Thank you!

jekhokie avatar Dec 15 '21 05:12 jekhokie

Hi Justin,

We are aware of the issue. However, can you follow the process described on CONTRIBUTING.md? This will ensure the issue is properly triaged and acknowledged by Linkedin Security.

I will leave this Issue open until we have the appropriate changes merged.

FYI @atoomula

Thanks, Thomas

thomaslaw avatar Dec 15 '21 15:12 thomaslaw