Security News > 2021 > December > All Log4j, logback bugs we know so far and why you MUST ditch 2.15

All Log4j, logback bugs we know so far and why you MUST ditch 2.15
2021-12-17 12:20

Below we summarize the multiple relevant CVEs identified thus far, and pretty good reasons to ditch log4j version 2.15.0, in favor of 2.16.0.

CVE-2021-4104 [High]: Did we say Log4j 2.x versions were vulnerable? What about Log4j 1.x? While previously thought to be safe, Log4Shell found a way to lurk in the older Log4j too.

A successor to the Log4j 1.x library, Logback claims to pick up "Where log4j 1.x leaves off."

Up until last week, Logback also bragged that being "Unrelated to log4j 2.x, [logback] does not share its vulnerabilities."

Log4j 2.15.0 might contain even more severe vulnerabilities than the ones discovered so far, which is why 2.16.0 is by far a safer bet.

The worst possible scenario resulting from Log4j 2.15.0 is yet to be fully determined, but suffice to say, it doesn't seem like it's just limited to DoS. As the situation continues to evolve, organizations and developers are encouraged to upgrade to 2.16.0, and to continue to monitor Apache's Log4j advisory page for updates.


News URL

https://www.bleepingcomputer.com/news/security/all-log4j-logback-bugs-we-know-so-far-and-why-you-must-ditch-215/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-12-14 CVE-2021-4104 Deserialization of Untrusted Data vulnerability in multiple products
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
network
high complexity
apache fedoraproject redhat oracle CWE-502
7.5
7.5