Several government sites in Quebec are down - couldn't get into the ClicSecure gate today ...
https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html
Suggested action
----------------
The Cyber Centre encourages those organizations with applications
leveraging Apache Log4j to:
Upgrade to Log4j version 2.15.0 where possible.
Apply the suggested workarounds from Apache if upgrading is not
immediately possible.
Check logs for signs of compromise.
Mitigation
----------
Apache recommends the following mitigations if patching cannot be immediately performed: Footnote1
In Log4j versions >= 2.10, the vulnerable behavior can be mitigated by setting the system property “log4j2.formatMsgNoLookups” to “true”.
Alternatively, the environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” can be set to “true” in order to mitigate this behavior.
For Log4j versions 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath by running the following command.
“zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class”
--
"...there are many humorous things in this world; among them the white
man's notion that he is less savage than the other savages."
-Samuel Clemens
Several government sites in Quebec are down - couldn't get into the ClicSecure gate today ...
https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html
Suggested action
----------------
The Cyber Centre encourages those organizations with applications
leveraging Apache Log4j to:
Upgrade to Log4j version 2.15.0 where possible.
Apply the suggested workarounds from Apache if upgrading is not
immediately possible.
Check logs for signs of compromise.
Mitigation
----------
Apache recommends the following mitigations if patching cannot be immediately performed: Footnote1
In Log4j versions >= 2.10, the vulnerable behavior can be mitigated by setting the system property “log4j2.formatMsgNoLookups” to “true”.
Alternatively, the environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” can be set to “true” in order to mitigate this behavior.
For Log4j versions 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath by running the following command.
“zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class”
--
"...there are many humorous things in this world; among them the white
man's notion that he is less savage than the other savages."
-Samuel Clemens
Several government sites in Quebec are down - couldn't get into the ClicSecure gate today ...
https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html
Suggested action
----------------
The Cyber Centre encourages those organizations with applications
leveraging Apache Log4j to:
Upgrade to Log4j version 2.15.0 where possible.
Apply the suggested workarounds from Apache if upgrading is not
immediately possible.
Check logs for signs of compromise.
Mitigation
----------
Apache recommends the following mitigations if patching cannot be immediately performed: Footnote1
In Log4j versions >= 2.10, the vulnerable behavior can be mitigated by setting the system property “log4j2.formatMsgNoLookups” to “true”.
Alternatively, the environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” can be set to “true” in order to mitigate this behavior.
For Log4j versions 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath by running the following command.
“zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class”
--
"...there are many humorous things in this world; among them the white
man's notion that he is less savage than the other savages."
-Samuel Clemens
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 52:18:15 |
Calls: | 6,650 |
Calls today: | 2 |
Files: | 12,200 |
Messages: | 5,330,388 |