Apache JSPWiki affected by Apache Log4J's [CVE-2021-44228] #
Severity
Critical
Vendor
The Apache Software Foundation
Versions Affected
Apache JSPWiki 2.11.0
Description
Apache JSPWiki, 2.11.0 release is using a bundled version of the Apache Log4J library vulnerable to Remote Code Execution. For full impact and additional detail consult the Log4J security page.
Apache JSPWiki releases prior to 2.11.0 use Log4J 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for discussion.
Mitigation
Any of the following are enough to prevent this vulnerability for Apache JSPWiki installations:
- Upgrade to upcoming Apache JSPWiki 2.11.1, which will include an updated version of the log4j2 dependency. Alternatively, you can build 2.11.1-git-02 from master branch which also includes the updated dependency.
- Manually update the version of Log4J2 on your runtime classpath and restart your JSPWiki application.
- Adding the -Dlog4j2.formatMsgNoLookups=true to the JVM launching the application (f.ex., adding it to the CATALINA_OPTS env variable under Tomcat).
References
https://logging.apache.org/log4j/2.x/security.html
CVE