log4j-core-2.16.0.jar
Mathew, Sunil
smathew at hbs.edu
Wed Jun 7 16:22:32 UTC 2023
Hi All,
We are using shib-idp:4.2.1_20220624 docker image in AWS.
Qualys is complaining about the existence of this file:
/usr/local/tomcat/bin/log4j-core-2.16.0.jar
relates to this CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-45105 - description from Qualys:
Apache Log4j2 does not always protect from infinite recursion in lookup evaluation (CVE-2021-45105), this was made public on December 18, 2021
Affected versions:
Log4j versions all versions from 2.0-beta9 to 2.16.0, excluding 2.12.3, 2.3.1
QID Detection: (Authenticated) - Windows
On the Windows system, the QID identifies a vulnerable instance of log4j via WMI to check log4j included in the running processes via the command-line.
QID Detection: (Authenticated) - Linux
This detection is based on querying the OS package managers on the target. If the target has a log4j package with a version less than or equal to 2.16.0, the target is flagged! as vulnerable.
How can I remediate this vulnerability?
Regards,
Sunil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230607/4784adb1/attachment.htm>
More information about the users
mailing list