Apache Log4j2 2.14.1
버전 정보 | 취약점 ID | 취약점 최종 보고일 | 심각도 |
---|---|---|---|
2.14.1 | CVE-2021-44228 | 2021/12/12 | 10.0 (Critical) |
취약점 설명 | Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). 2.14.1 이하 버전의 Apache Log4j2는 설정, 로그 메세지 및 파라미터에 사용되는 JNDI 기능을 공격자가 제어하는 LDAP 및 기타 JNDI 관련 엔드포인트로부터 보호하지 않습니다. |
---|---|
대응 방안 | 2.16.0 이상 버전으로 업데이트 |
기타 | - |
-
번호 | 컴포넌트 명 및 버전 | 취약점ID | 심각도 |
취약점 최종 보고일 |
대응방안 |
---|---|---|---|---|---|
167 | istio 1.9.4 | CVE-2021-31921 | 7.5 (High) | 2021/07/30 | |
166 | GoGo Protobuf 1.3.1 | CVE-2021-3121 | 7.5 (High) | 2021/10/18 | |
165 | Apache Log4j2 2.14.1 | CVE-2021-44228 | 10.0 (Critical) | 2021/12/12 | |
164 | aws-sdk-js 2.167.0 | CVE-2020-28472 | 7.5 (High) | 2021/01/28 | |
163 | y18n 5.0.0 | CVE-2020-7774 | 7.5 (High) | 2021/07/21 | |
162 | swiper 5.3.8 | CVE-2021-23370 | 7.5 (High) | 2021/04/19 | |
161 | Apache Hadoop 2.6.0 | CVE-2017-3162 | 7.5 (High) | 2021/07/03 | |
160 | Apache Velocity Engine 1.5 | CVE-2020-13936 | 9.0 (Critical) | 2021/09/23 | |
159 | Apache Commons Beanutils 1.8.3 | CVE-2019-10086 | 7.5 (High) | 2021/10/20 | |
158 | TensorFlow 2.4.1 | CVE-2021-37678 | 4.6 (Medium) | 2021/08/19 |