Please see the disclaimer on our Community Content efforts in detecting and mitigating these Log4j vulnerabilities at Log4j Vulnerability Identification and 3rd Party Remediation Solution Testing Statement
Posting this Summary page to link to latest approaches and content. Comments here will be locked, but refer to the megathread below for the latest discussion points:
Megathread with ongoing discussion:
Latest notes from Apache:
https://logging.apache.org/log4j/2.x/security.html
CVE Links:
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
https://nvd.nist.gov/vuln/detail/CVE-2021-4104
US CISA Guidance:
Affected BigFix Products:
Current guidance:
Upgrade to: Log4j-core-2.17.0.jar
or
Remove the affected JNDI class from earlier versions of Log4j-core-2.x.x.jar
…in any release other than 2.16.0, you may remove the JndiLookup class from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
( from Log4j – )
Note: Details are emerging, but CVE-2021-45105 may not be remeditated by removing the JndiLookup.class. That workaround is not listed on Apache’s site, and given that it affects 2.16.0 that already had the lookup removed it is likely only remediated by upgraded to 2.17.0. CVE-2021-45105 is a Denial-of-Service with CVSS score 7.5.
(edits)
2021-12-18 Added CVE-2021-45105