Hi Team,
We're getting log4j vulnerability in some of our AIX servers. The CVEs for these vulnerabilities are mention below. We've done some remediation steps for some CVEs, but have some confusion whether we are getting same vulnerabilities error on CVEs?
CVEs are:
1.
CVE-2021-44228 (
Remote Code Execution) => We have
remove the JndiLookup class from the classpath.
2.
CVE-2021-44832 (
JDBC Appender when attacker controls configuration) => As per apache documents we need to
Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
But CVE-2021-44832 look like same as CVE-2021-44228. So can anyone confirm whether the remediation steps we've followed in CVE-2021-44228 is enough or not for CVE-2021-44832 or we need to upgrade the log4j??
3.
CVE-2021-45105 (
DOS vulnerability) =>
Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
Please let us know the remediation for above CVEs.
------------------------------
Virendra Singh
------------------------------