Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Corretto team statement on CVE-2021-44228 (Log4j remote code execution) #343

Open
davecurrie opened this issue Dec 11, 2021 · 1 comment

Comments

@davecurrie
Copy link
Contributor

A high-severity security issue within Log4j2 was recently disclosed publicly (see https://nvd.nist.gov/vuln/detail/CVE-2021-44228 for more details). Anyone using Log4j2 should upgrade to version 2.15, which addresses this issue. Log4j2 versions older than 2.15 should be considered affected regardless of the JDK distribution or version used.

It has been reported that using Log4j2 on JDKs after 8u121 or 8u191 (including JDK 11 and later) mitigates the issue but this is only a partial mitigation. The only comprehensive solution is to upgrade Log4j2 to 2.15.

@davecurrie davecurrie pinned this issue Dec 11, 2021
@davecurrie
Copy link
Contributor Author

The Corretto team at AWS has been working on a tool to hotpatch the log4j RCE from CVE-2021-44228. This tool

  • Can patch a running JVM without a need to restart
  • Will patch log4j 2+
  • Can be run safely multiple times on the same JVM
  • Will find all the user’s running JVMs and patch them
  • Can be used to patch shaded jars including log4j
  • Can patch multiple log4j instances

You can get it at https://github.com/corretto/hotpatch-for-apache-log4j2. Use it at your own risk and go through the README for instructions and caveats.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant