-
Título
Impact of CVE-2021-44832 Apache Log4j Vulnerability -
Descrição
A critical vulnerability was recently discovered related to systems/software that run Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4)
More information about this vulnerability can be found here: National Vulnerability database - CVE-2021-44832 (nist.gov)
-
Causa
This is an industry-wide vulnerability affecting the Apache Log4j itself and is not specific to Syslog-NG PE
-
Resolução
Syslog-NG PE is not impacted by this vulnerability. While Syslog-NG PE 7.0.29 uses Log4j2 2.17.0, CVE-2021-44832 is related to the Jog4j JDBC Appender, which is not available for use with Syslog-NG PE. The JDBC Appender is not configured by default and is not possible to configure.
Syslog-NG PE 7.0.30 was released with an updated version of Log4j; from the 7.0.30 Release Notes "Resolved Issues" section:
"Log4j upgraded to 2.17.2 Issue ID #SYSLOGDEV-6263"