1
0
Fork 0
mirror of https://github.com/cisagov/log4j-affected-db.git synced 2024-10-31 22:28:26 +00:00

Merge pull request #322 from cisagov/apache-struts-update

Add Apache Struts 2 per Issue#232
This commit is contained in:
Lcerkov 2021-12-21 22:56:44 -05:00 committed by GitHub
commit df0d765bf2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -72,6 +72,7 @@ This list was initially populated using information from the following sources:
| Apache | Kafka | Unknown | Affected | No | [Log4j Apache Log4j Security Vulnerabilities](https://logging.apache.org/log4j/2.x/security.html)| Only vulnerable in certain configuration(s) | | |
| Apache | Log4j | < 2.15.0 | Affected | Yes | [Log4j Apache Log4j Security Vulnerabilities](https://logging.apache.org/log4j/2.x/security.html) | | | |
| Apache | Solr | 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 | Fixed | Yes | [Apache Solr Security](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) | Update to 8.11.1 or apply fixes as described in Solr security advisory | [Apache Solr 8.11.1 downloads](https://solr.apache.org/downloads.html) | 12/16/2021 |
| Apache | Struts 2 | Versions before 2.5.28.1 | Fixed (See Notes) | Yes | [Apache Struts Announcements](https://struts.apache.org/announce-2021) | The Apache Struts group is pleased to announce that Struts 2.5.28.1 is available as a “General Availability” release. The GA designation is our highest quality grade. This release addresses Log4j vulnerability CVE-2021-45046 by using the latest Log4j 2.12.2 version (Java 1.7 compatible). | [Apache Struts Release Downloads](https://struts.apache.org/download.cgi#struts-ga) | 12/21/2021 |
| Apache | Tomcat | 9.0.x | Not Affected (See Notes) | | [Apache Tomcat Security Notes](https://tomcat.apache.org/security-9.html) | Apache Tomcat 9.0.x has no dependency on any version of log4j. Web applications deployed on Apache Tomcat may have a dependency on log4j. You should seek support from the application vendor in this instance. It is possible to configure Apache Tomcat 9.0.x to use log4j 2.x for Tomcat's internal logging. This requires explicit configuration and the addition of the log4j 2.x library. Anyone who has switched Tomcat's internal logging to log4j 2.x is likely to need to address this vulnerability. In most cases, disabling the problematic feature will be the simplest solution. Exactly how to do that depends on the exact version of log4j 2.x being used. Details are provided on the [log4j 2.x security page](https://logging.apache.org/log4j/2.x/security.html) | | 12/21/2021 |
| Apereo | CAS | 6.3.x & 6.4.x | Affected | Yes | [CAS Log4J Vulnerability Disclosure Apereo Community Blog](https://apereo.github.io/2021/12/11/log4j-vuln/) | | | |
| Apereo | Opencast | < 9.10, < 10.6 | Affected | Yes | [Apache Log4j Remote Code Execution · Advisory · opencast/opencast · GitHub](https://github.com/opencast/opencast/security/advisories/GHSA-mf4f-j588-5xm8) | | | |