Hello Steve, Am 2021-12-14 14:14, schrieb Steve Clark:> This is the standard version that comes with CentOS 7 and is the > latest available as of a yum update just now. > log4j-1.2.17-16.el7_4.noarchyes, that's correct, but it is abandoned nonetheless. According to the RPM's change log, Red Hat backported a fix for CVE-2017-5645. They have not done this for CVE-2019-17571 it seems. I would be very surprised if they'd do so now. Kind regards, Steve
On 2021-12-14 08:31, Steve Meier wrote:> Hello Steve, > > Am 2021-12-14 14:14, schrieb Steve Clark: >> This is the standard version that comes with CentOS 7 and is the >> latest available as of a yum update just now. >> log4j-1.2.17-16.el7_4.noarch > > yes, that's correct, but it is abandoned nonetheless. > > According to the RPM's change log, Red Hat backported a fix for > CVE-2017-5645. > They have not done this for CVE-2019-17571 it seems. > I would be very surprised if they'd do so now.Well, given that they indicated on their page for this CVE that they were still investigating the potential for the vulnerability existing in 1.2, it may happen. It would be nice if there was a log4j-2 RPM available for C7, but as of this point, I've not been been able to locate one. -- Mike Burger http://www.bubbanfriends.org "It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1
> Hello Steve, > > Am 2021-12-14 14:14, schrieb Steve Clark: >> This is the standard version that comes with CentOS 7 and is the >> latest available as of a yum update just now. >> log4j-1.2.17-16.el7_4.noarch > > yes, that's correct, but it is abandoned nonetheless. > > According to the RPM's change log, Red Hat backported a fix for > CVE-2017-5645. > They have not done this for CVE-2019-17571 it seems. > I would be very surprised if they'd do so now.It seems CVE-2019-17571 is also covered by the fix for CVE-2017-5645: https://access.redhat.com/node/4677071 Regards, Simon
On Tue, 2021-12-14 at 14:31 +0100, Steve Meier wrote:> Hello Steve, > > Am 2021-12-14 14:14, schrieb Steve Clark: > > This is the standard version that comes with CentOS 7 and is the > > latest available as of a yum update just now. > > log4j-1.2.17-16.el7_4.noarch > > yes, that's correct, but it is abandoned nonetheless. > > According to the RPM's change log, Red Hat backported a fix for > CVE-2017-5645. > They have not done this for CVE-2019-17571 it seems. > I would be very surprised if they'd do so now.https://access.redhat.com/node/4677071According to that link CVE-2019-17571 is the same issue as CVE-2017- 5645 and both are listed as fixed in this errata: https://access.redhat.com/errata/RHSA-2017:2423 So I think it's fixed. Best regards, markus
Zitat von Steve Meier <email at steve-meier.de>:> Hello Steve, > > Am 2021-12-14 14:14, schrieb Steve Clark: >> This is the standard version that comes with CentOS 7 and is the >> latest available as of a yum update just now. >> log4j-1.2.17-16.el7_4.noarch > > yes, that's correct, but it is abandoned nonetheless. > > According to the RPM's change log, Red Hat backported a fix for > CVE-2017-5645. > They have not done this for CVE-2019-17571 it seems. > I would be very surprised if they'd do so now. > > Kind regards, > Steve > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosTools alle Links ohne Pr?fung auf Inhalt und Qualit?t https://log4shell.huntress.com/ (Quelle Sven Kuhnert) https://therecord.media/log4j-zero-day-gets-security-fix-just-as-scans-for-vulnerable-systems-ramp-up/ Anwendung BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-12 2129 UTC ? GitHub https://logging.apache.org/log4j/2.x/security.html Presse https://www.heise.de/news/Log4j-2-16-0-verbessert-Schutz-vor-Log4Shell-Luecke-6294053.html https://www.golem.de/news/log4j-luecke-warum-log4shell-so-gefaehrlich-ist-und-was-nicht-hilft-2112-161757-4.html Hinweis: In den Kommentaren zu den Artikeln finden sich Einsch?tzungen und Hinweise neuste Artikel oben https://www.heise.de/ratgeber/Schutz-vor-schwerwiegender-Log4j-Luecke-was-jetzt-hilft-und-was-nicht-6292961.html https://www.golem.de/news/log4shell-bsi-vergibt-hoechste-warnstufe-fuer-log4j-luecke-2112-161734.html https://www.spiegel.de/netzwelt/web/log4j-luecke-bundesbehoerden-von-schwerer-it-schwachstelle-betroffen-a-6cb889d2-ba8d-48f8-a27a-f923bf11b563 https://www.spiegel.de/netzwelt/web/log4-j-schwachstelle-ja-leute-die-scheisse-brennt-lichterloh-a-760bd03d-42d2-409c-a8d2-d5b13a9150fd https://www.spiegel.de/netzwelt/web/bundesbehoerde-warnt-vor-schwachstelle-in-weit-verbreiteter-software-a-55bc413b-2e01-446c-8ee6-5fabfee3b0f2 fachliche Quellen https://www.heise.de/news/Kritische-Zero-Day-Luecke-in-log4j-gefaehrdet-zahlreiche-Server-und-Apps-6291653.html https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2021/12/warnmeldung_cb-k21-1264.html?nn=520170 https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=3 Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation | CISA Java-Schwachstelle Log4Shell ? Was passiert ist und was zu tun ist ? Sophos News Log4Shell explained ? how it works, why you need to know, and how to fix it ? Naked Security (sophos.com)