GHSA-xxfh-x98p-j8fr

Source

https://github.com/advisories/GHSA-xxfh-x98p-j8fr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-xxfh-x98p-j8fr/GHSA-xxfh-x98p-j8fr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xxfh-x98p-j8fr

Published

2021-12-10T20:15:37Z

Modified

2024-12-02T05:49:25.675395Z

Summary

Remote code injection in Log4j (through pax-logging-log4j2)

Details

Impact

Remote Code Execution.

Patches

Users of pax-logging 1.11.9 should update to 1.11.10. Users of pax-logging 2.0.10 should update to 2.0.11.

Workarounds

Set system property -Dlog4j2.formatMsgNoLookups=true

References

https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [],
    "nvd_published_at": null,
    "github_reviewed_at": "2021-12-10T18:54:56Z",
    "severity": "CRITICAL"
}

References

Affected packages

Maven / org.ops4j.pax.logging:pax-logging-log4j2

Package

Name: org.ops4j.pax.logging:pax-logging-log4j2; View open source insights on deps.dev
Purl: pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.11

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

Maven / org.ops4j.pax.logging:pax-logging-log4j2

Package

Name: org.ops4j.pax.logging:pax-logging-log4j2; View open source insights on deps.dev
Purl: pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.10

Affected versions

1.*

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.8.7

1.9.0

1.9.1

1.9.2

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.10.5

1.10.6

1.10.7

1.10.8

1.10.9

1.10.10

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

1.11.5

1.11.6

1.11.7

1.11.8

1.11.9