Menu
▾
▴
[Unity-idm-discuss] Update on log4j vulnerability
|
From: Krzysztof B. <kb...@un...> - 2021-12-15 14:25:29
|
Hi Tim, All, W dniu 15.12.2021 o 08:37, Tim Kreuzer pisze: > Hi Krzysztof, > > I don't know if you already know, but another log4j update > is required: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 Yes, we are heads down on this one since morning. Unity 3.7.2 including updated library is being released. It takes ages as sonatype nexus server (tool used to publish to Maven central repo) is super slow (quite easy to guess why). After this is completed I will provide a separate update. Investigation of the new vulnerability discovered that there Unity server can be affected assuming: 1. it is version 3.5.0 or newer. 3.4.5 and earlier versions are not affected. Note: the previous log4j vulnerability was affecting all Unity versions (maybe except some ancient ones - we haven't checked unity 1.x or 2.x). 2. Context variables are used in logging configuration. Context variables is used when you use any of the following variables in logging pattern: ${ctx:___}, %X, %mdc, %MDC. To mitigate the problem, until 3.7.2 is installed, the following options are available: 1. Manual update of all log4j* libraries to version 2.16.0. Should be safe on all affected versions of Unity. 2. Make sure you don't use any of the context variables in logging pattern layout. More precisely there is a single context variable in Unity which looks likely as a candidate for attack, but the safest bet is to not use context variables at all, until the patched version is installed. Best regards, Krzysztof |
