Skip to content

Remote code injection in Log4j (through pax-logging-log4j2)

Critical severity GitHub Reviewed Published Dec 10, 2021 in ops4j/org.ops4j.pax.logging • Updated Jan 9, 2023

Package

maven org.ops4j.pax.logging:pax-logging-log4j2 (Maven)

Affected versions

>= 2.0.0, < 2.0.11
< 1.11.10

Patched versions

2.0.11
1.11.10

Description

Impact

Remote Code Execution.

Patches

Users of pax-logging 1.11.9 should update to 1.11.10.
Users of pax-logging 2.0.10 should update to 2.0.11.

Workarounds

Set system property -Dlog4j2.formatMsgNoLookups=true

References

GHSA-jfh8-c2jp-5v3q

References

@grgrzybek grgrzybek published to ops4j/org.ops4j.pax.logging Dec 10, 2021
Reviewed Dec 10, 2021
Published to the GitHub Advisory Database Dec 10, 2021
Last updated Jan 9, 2023

Severity

Critical

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-xxfh-x98p-j8fr

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.