Launch Week Day 1: Announcing Security Design Review

Remote code injection in Log4j (through pax-logging-log4j2)

GHSA-xxfh-x98p-j8fr

Published Dec 10, 2021 · Modified Dec 2, 2024

Description

Impact

Remote Code Execution.

Patches

Users of pax-logging 1.11.9 should update to 1.11.10.
Users of pax-logging 2.0.10 should update to 2.0.11.

Workarounds

Set system property -Dlog4j2.formatMsgNoLookups=true

References

https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes