(This approach is not without its drawbacks pulling in new fixes can also pull in new problems. RecoverPoint Classic 5.1 SP4 P4 Release has a permanent code fix for Apache Log4j vulnerability CVE’s: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Dell recommends the RecoverPoint customers to upgrade to RecoverPoint Classic 5.1 SP4 P4 Legal Information. Consumers can get a patched version on the next build after the patch is available, which propagates up the dependencies quickly. Open ranges allow the resolution algorithm to select the most recently released version that satisfies dependency requirements, thereby pulling in new fixes. This practice is in contrast to other ecosystems, such as npm, where it’s common for developers to specify open ranges for dependency requirements. Propagating a fix often requires explicit action by the maintainers to update the dependency requirements to a patched version. In the Java ecosystem, it’s common practice to specify “ soft” version requirements - exact versions that are used by the resolution algorithm if no other version of the same package appears earlier in the dependency graph. This exploitable feature was enabled by default in many versions of the library.Īnother difficulty is caused by ecosystem-level choices in the dependency resolution algorithm and requirement specification conventions. The vulnerabilities allow an attacker to perform remote code execution by exploiting the insecure JNDI lookups feature exposed by the logging library log4j. Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services. More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities ( 1, 2), with widespread fallout across the software industry. The linked list, which continues to be updated, only includes packages which depend on log4j-core. 25% of affected packages have fixed versions available. This third-party component is used in very limited instances within a small subsection of SolarWinds products. The ecosystem impact numbers for just log4j-core, as of 19th December are over 17,000 packages affected, which is roughly 4% of the ecosystem. In December 2021, three CVEs were released for third-party vulnerabilities detected in Apache Log4j software that is utilized widely across the software industry. Since then, the CVE has been updated with the clarification that only log4j-core is affected. The below numbers were calculated based on both log4j-core and log4j-api, as both were listed on the CVE.
0 Comments
Leave a Reply. |