Critical Severity - An update on the Apache Log4j 2.x vulnerabilities

[AlexAlvesJr]

Hello, guys!

Recently, it was identified a vulnerability in log4j 2.x. As many companies use this exporter in production environments and this vulnerability has high severity, is it possible that you lauch a new review of the application with the needed upgrades?

Link: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

Tks,
Alex

[ouwe-knutselaar]

Any reaction on the reqeust?

[AlexAlvesJr]

None…

but the solution is simple, you just need to download the new version of log4j and replace the packages of log4j that you find in the application (mqexporter) directory. Then, you build it with Maven.

let me know if you need some help.

[ouwe-knutselaar]

Well, it is more that I also found some things in the HTTP handler that can be improved. There is very little control of what is accepted by the HTTP server. And suspicious calls are left unnoticed. This punches a hole in your security of your MQ system.

I raised a question to issues list but then I saw also that you had no response for 4 weeks. So I have questions about the activity of this project.