![]() ![]() Therefore, I strongly recommend to have another look at it. How can it be that these are vesion 2? The log4j-core-2.11.0.jar file is the file, that is mainly causing the vulnerability and ought to be updated. Second thing, which confuses me, is the presence of the version 2 files of log4j-api and log4j-core. This versions has been end of life for more than 6 years. Users should upgrade to Log4j 2 to obtain security fixes.". Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. The Log4j site states: "Please note that Log4j 1.x has reached end of life and is no longer supported. After scanning a computer with NetLogo 6.2.2 I found the following files in NetLogo 6.2.2\app\extensions\.bundled\vid :įirst thing, that I find rather odd, is the fact that NetLogo uses Log4j 1.x (as seen in log4j-1.2.17.jar above). However, I am struggling with a few things still, before I will communicate the above with the ITSEC team at WUR. Hi I am a direct colleague of at Wageningen University and Research (abbreviated as WUR later). Let me know if you have further questions. I hope that helps convince your ITSEC team that NetLogo is safe. That is changeable so users could use whatever they want, but then the above mitigations (items 2 and 3 above) come into play. The default logging configuration for NetLogo does not include a JMSAppender, only a FileAppender. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. ![]() There was a prior note on affected 1.x versions: If you need to run HubNet models, you can do so without logging and there should be no risk (even with the version outside the range).Įdit to add one more item I missed previously.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |