Log4Shell announcement (CVE-2021-44228)

[Haarolean]

UPD: There have been discovered more log4j related CVEs, thereby we decided to get rid of log4j completely. The changes are present in master branch already, please consider pulling master labeled image instead of latest. We'll publish a release containing these changed soon.

As you might already know there's a vulnerability issue has been discovered within Log4j, called Log4Shell (CVE-2021-44228), which we use.

If you're using the app docker-way, you're not affected, since the jdk/jre we use for our image sets log4j2.formatMsgNoLookups to true.

if you do build manually, via either jar or own docker image, consider running the app with -Dlog4j2.formatMsgNoLookups=true.

[HenryTheSir]

Hi Haarolean,
just setting the parameter seams to fix just some issues with log4j, they anounced a new vulnerability which does not get closed with the parameters: https://logging.apache.org/log4j/2.x/security.html
Best regards

[Haarolean]

Hey, thanks for the heads-up. We're investigating this.

[Haarolean]

Updated the original message regarding the issue.

[LucasOlivera-andreani]

Hello, any news with this topic

[Haarolean]

Hi, as there are additional CVEs have been introduced -- we're working on removing log4j completely.

[LucasOlivera-andreani]

Thanks for your prompt response, they have an estimated date for the new version

[Haarolean]

Updated the original message regarding the issue.