![]() ![]() Newer NIST CVE 2021-45046 - changed to RCE 9.0 (but requires non-default config).NOTE: All previous mitigations - based on anything other than upgrading to log4j 2.16 (or higher) or entirely removing JndiLookup classes - are no longer effective mitigation.Worm? - Kevin Beaumont and Marcus Hutchins say not really, because it has a hard-coded LDAP server - but better versions may be feasible soon.Big new joint CISA / Five Eyes mitigation advisory ().CVE-2021-44832 (CVSS 6.6) - do not be alarmed (yet) - it appears to require ability to write a local config file to be exploited ("where an attacker with permission to modify the logging configuration file can construct a malicious configuration"). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |