log4shell

Log4j how to find out if an application has it included

Update ~~2021-12-13~~ 2021-12-15

Elasticsearch: Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31
HCL: CVE-2021-44228 : Security Advisory
IBM: Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)
Security Bulletin: HCL Connections Security Update for Apache Log4j 2 Vulnerability (CVE-2021-44228)
CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

So there is a fix for kc.war which updates the log4j 2.8 to 2.15, Elasticsearch in Component Pack has log4j 2.8 and 2.11 included ~~but is not vulnerable because of additional security settings.~~

Created: 11. December 2021
Last Update: 15. December 2021 Read in about 5 min