logo

Database

Server side template injection In org.ops4j.pax.logging:pax-logging-log4j2

Description

Remote code injection in Log4j (through pax-logging-log4j2)

Impact

Remote Code Execution.

Patches

Users of pax-logging 1.11.9 should update to 1.11.10. Users of pax-logging 2.0.10 should update to 2.0.11.

Workarounds

Set system property -Dlog4j2.formatMsgNoLookups=true

References

https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-xxfh-x98p-j8fr2. GHSA-jfh8-c2jp-5v3q3. GCVE-GHSA-xxfh-x98p-j8fr

References

1. https://github.com/ops4j/org.ops4j.pax.logging/security/advisories/GHSA-xxfh-x98p-j8fr

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.