F5

F5 全线产品不受 Apache Log4j2 远程代码执行漏洞 [CVE-2021-44228] 影响

Posted by sysin on 2021-12-14
Estimated Reading Time 2 Minutes
Words 531 In Total
Viewed Times

点击访问腾讯云官方网站


请访问原文链接:F5 全线产品不受 Apache Log4j2 远程代码执行漏洞 [CVE-2021-44228] 影响,查看最新版。原创作品,转载请保留出处。

作者主页:www.sysin.org

抄袭者 maczqq_23930765hanzheng260561728 请远离本站!!!


Apache Log4j2 Remote Code Execution vulnerability CVE-2021-44228

安全建议描述

Apache Log4j2 <=2.14.1 在配置、日志消息和参数中使用的 JNDI 功能不能防止攻击者控制的 LDAP 和其他 JNDI 相关端点。当启用消息查找替换时,可以控制日志消息或日志消息参数的攻击者可以执行从 LDAP 服务器加载的任意代码。从 log4j 2.15.0 开始,默认情况下已禁用此行为 (sysin)。在以前的版本 (>2.10) 中,可以通过将系统属性 “log4j2.formatMsgNoLookups” 设置为 “true” 或从类路径中删除 JndiLookup 类来缓解这种行为(例如:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class)。Java 8u121(参见:https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)通过设置默认 “com.sun.jndi.rmi.object.trustURLCodebase” 和 “com.sun.jndi.cosnaming.object.trustURLCodebase” 为 “false” 来防止远程执行代码。(CVE-2021-44228)

安全建议状态

Product Branch Versions known to be vulnerable1 Fixes introduced in Severity CVSSv3 score2 Vulnerable component or feature
BIG-IP (all modules) 16.x None Not applicable Not vulnerable None None
15.x None Not applicable
14.x None Not applicable
13.x None Not applicable
12.x None Not applicable
11.x None Not applicable
BIG-IQ Centralized Management 8.x None Not applicable Not vulnerable None None
7.x None Not applicable
F5OS 1.x None Not applicable Not vulnerable None None
Traffix SDC 5.x ** ** ** ** **
NGINX Plus R19 - R25 None Not applicable Not vulnerable None None
NGINX Open Source 1.x None Not applicable Not vulnerable None None
NGINX Unit 1.x None Not applicable Not vulnerable None None
NGINX App Protect 3.x None Not applicable Not vulnerable None None
NGINX Controller 3.x None Not applicable Not vulnerable None None
NGINX Ingress Controller 2.x None Not applicable Not vulnerable None None
1.x None Not applicable Not vulnerable None None
NGINX Instance Manager 1.x None Not applicable Not vulnerable None None
NGINX Service Mesh 1.x None Not applicable Not vulnerable None None

1 F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.

2 The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.


捐助本站 ❤️ Donate


如果文章中使用的内容或图片侵犯了您的版权,请联系作者删除。如果您喜欢这篇文章或者觉得它对您有所帮助,欢迎您发表评论,也欢迎您分享这个网站,或者赞赏一下作者,谢谢!


支付宝赞赏 微信赞赏

赞赏一下



1000000