![]() ![]() The message converter, %m, is likely to always be included. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSSink.īase Score: 9.8 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HĬVE reads that the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default.Ī flaw was found in the Java logging library Apache Log4j in version 1.x. The attacker can provide a TopicConnectionFactorBinderingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. Furthermore, there is no Windchill documentation that mentions enable/run the capability.ĬVE-2019-17571 only affects if Log4j uses its features to access remote logs through its SocketServer class, Which is neither enabled in OOTB configuration for Windchill nor is called from codebase.īase Score: 8.8 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |