GHSA-94g7-hpv8-h9qm

Suggest an improvement
Source
https://github.com/advisories/GHSA-94g7-hpv8-h9qm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-94g7-hpv8-h9qm/GHSA-94g7-hpv8-h9qm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-94g7-hpv8-h9qm
Published
2021-12-14T21:46:35Z
Modified
2021-12-14T20:00:34Z
Summary
Remote code injection in Log4j
Details

Impact

Logging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input.

More Details: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

Patches

Version 1.11.1 of the Splunk Logging for Java library.

There is also a backport to version 1.6.2 released as a patch: 1.6.2-0-0.

Workarounds

If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set on both client- and server-side components.

References

https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

For more information

If you have any questions or comments about this advisory: * Open an issue in https://github.com/splunk/splunk-library-javalogging/issues * Email us at devinfo@splunk.com

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-14T20:00:34Z"
}
References

Affected packages

Maven / com.splunk.logging:splunk-library-javalogging

Package

Name
com.splunk.logging:splunk-library-javalogging
View open source insights on deps.dev
Purl
pkg:maven/com.splunk.logging/splunk-library-javalogging

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.11.1