Hi Tim, All,
W dniu 15.12.2021 o 08:37, Tim Kreuzer pisze:
> Hi Krzysztof,
>
> I don't know if you already know, but another log4j update
> is required:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
Yes, we are heads down on this one since morning.
Unity 3.7.2 including updated library is being released. It takes ages
as sonatype nexus server (tool used to publish to Maven central repo) is
super slow (quite easy to guess why). After this is completed I will
provide a separate update.
Investigation of the new vulnerability discovered that there Unity
server can be affected assuming:
1. it is version 3.5.0 or newer. 3.4.5 and earlier versions are not
affected. Note: the previous log4j vulnerability was affecting all Unity
versions (maybe except some ancient ones - we haven't checked unity 1.x
or 2.x).
2. Context variables are used in logging configuration. Context
variables is used when you use any of the following variables in logging
pattern: ${ctx:___}, %X, %mdc, %MDC.
To mitigate the problem, until 3.7.2 is installed, the following options
are available:
1. Manual update of all log4j* libraries to version 2.16.0. Should be
safe on all affected versions of Unity.
2. Make sure you don't use any of the context variables in logging
pattern layout. More precisely there is a single context variable in
Unity which looks likely as a candidate for attack, but the safest bet
is to not use context variables at all, until the patched version is
installed.
Best regards,
Krzysztof
|
