Bug#1004482: liblog4j1.2-java: CVE-2022-23307 CVE-2022-23305 CVE-2022-23302
Christoph Anton Mitterer
calestyo at scientia.org
Fri Jan 28 16:04:08 GMT 2022
Package: liblog4j1.2-java
Version: 1.2.17-10
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Hey.
A number of holes was found in the 1.2 branch of log4j.
The following is apparently critical (code injection):
https://www.cvedetails.com/cve/CVE-2022-23307/
https://www.cvedetails.com/cve/CVE-2022-23305/
https://www.cvedetails.com/cve/CVE-2022-23302/
AFAIU there is no support anymore form these from upstream, and seems:
https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh
there are no plans to fix it.
EGI recommends: "For services where chainsaw is installed but not used apply the mitigation
zip -q -d /usr/share/cassandra/lib/log4j*.jar org/apache/log4j/chainsaw/*"
Not sure if that could be done for the Debian package in a new version?
Is Debian going to do anything about these?
Thanks,
Chris.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.0-3-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the pkg-java-maintainers
mailing list