F5

F5 全线产品不受 Apache Log4j2 远程代码执行漏洞 [CVE-2021-44228] 影响

Posted by sysin on 2021-12-14
Estimated Reading Time 2 Minutes
Words 519 In Total
更新日期:Tue Dec 14 2021 14:24:43 GMT+0800,阅读量:

请访问原文链接:F5 全线产品不受 Apache Log4j2 远程代码执行漏洞 [CVE-2021-44228] 影响 查看最新版。原创作品,转载请保留出处。

作者主页:sysin.org

Apache Log4j2 Remote Code Execution vulnerability CVE-2021-44228

安全建议描述

Apache Log4j2 <=2.14.1 在配置、日志消息和参数中使用的 JNDI 功能不能防止攻击者控制的 LDAP 和其他 JNDI 相关端点。当启用消息查找替换时,可以控制日志消息或日志消息参数的攻击者可以执行从 LDAP 服务器加载的任意代码。从 log4j 2.15.0 开始,默认情况下已禁用此行为 (sysin)。在以前的版本 (>2.10) 中,可以通过将系统属性 “log4j2.formatMsgNoLookups” 设置为 “true” 或从类路径中删除 JndiLookup 类来缓解这种行为(例如:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class)。Java 8u121(参见:https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)通过设置默认 “com.sun.jndi.rmi.object.trustURLCodebase” 和 “com.sun.jndi.cosnaming.object.trustURLCodebase” 为 “false” 来防止远程执行代码。(CVE-2021-44228)

安全建议状态

Product Branch Versions known to be vulnerable1 Fixes introduced in Severity CVSSv3 score2 Vulnerable component or feature
BIG-IP (all modules) 16.x None Not applicable Not vulnerable None None
15.x None Not applicable
14.x None Not applicable
13.x None Not applicable
12.x None Not applicable
11.x None Not applicable
BIG-IQ Centralized Management 8.x None Not applicable Not vulnerable None None
7.x None Not applicable
F5OS 1.x None Not applicable Not vulnerable None None
Traffix SDC 5.x ** ** ** ** **
NGINX Plus R19 - R25 None Not applicable Not vulnerable None None
NGINX Open Source 1.x None Not applicable Not vulnerable None None
NGINX Unit 1.x None Not applicable Not vulnerable None None
NGINX App Protect 3.x None Not applicable Not vulnerable None None
NGINX Controller 3.x None Not applicable Not vulnerable None None
NGINX Ingress Controller 2.x None Not applicable Not vulnerable None None
1.x None Not applicable Not vulnerable None None
NGINX Instance Manager 1.x None Not applicable Not vulnerable None None
NGINX Service Mesh 1.x None Not applicable Not vulnerable None None

1 F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

2 The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

捐助本站 ❤️ Donate

点击访问官方网站

文章用于推荐和分享优秀的软件产品及其相关技术,所有软件默认提供官方原版(免费版或试用版),免费分享。对于部分产品笔者加入了自己的理解和分析,方便学习和研究使用。任何内容若侵犯了您的版权,请联系作者删除。如果您喜欢这篇文章或者觉得它对您有所帮助,或者发现有不当之处,欢迎您发表评论,也欢迎您分享这个网站,或者赞赏一下作者,谢谢!

支付宝赞赏 微信赞赏

赞赏一下

☑️ 评论恢复,欢迎留言❗️
敬请注册!点击 “登录” - “用户注册”(已知不支持 21.cn/189.cn 邮箱)。请勿使用联合登录(已关闭)
特色标签
F5
网站链接
ESC