Re: [Davmail-users] Davmail and the CVE-2021-44228-Log4j?
Brought to you by:
mguessan
Menu
▾
▴
Re: [Davmail-users] Davmail and the CVE-2021-44228-Log4j?
|
From: Ole H. N. <Ole...@fy...> - 2021-12-21 11:29:28
|
Now there is a new CVE https://nvd.nist.gov/vuln/detail/CVE-2021-4104 which states: > JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. Question: Does davmail configure the use of JMSAppender and become vulnerable? Thanks, Ole On 12/14/21 18:23, Mickaël Guessant wrote: > The good news is that DavMail is *not* vulnerable to latest Log4J 2 CVE as > it depends on log4J version 1. > > Regards, > > > Le 14/12/2021 à 08:52, Ole Holm Nielsen via Davmail-users a écrit : >> Hi, >> >> We have installed davmail 6.0.1 dated Dec. 3, 2021 as an RPM on CentOS >> 7.9. However, it's only a few days ago that the Vulnerability in Apache >> Log4j (CVE-2021-44228-Log4j) was announced. We note that Davmail >> includes a log4j component: >> >> $ rpm -ql davmail | grep log4j >> /usr/share/davmail/lib/log4j-1.2.16.jar >> /usr/share/davmail/lib/slf4j-log4j12-1.7.25.jar >> >> Question: Is davmail vulnerable to log4j? If so, when could we expect a >> security fix? |
