The CVE data is incomplete and does not provide information on the specific software. However, it appears to be related to a vulnerability in a logging library used by some applications.
The CVE data is incomplete and does not provide information on the specific software. However, it appears to be related to a vulnerability in a logging library used by some applications.
Version info not stated in advisory.
Check with: find / -name "log4j*.jar" 2>/dev/null
This check command is similar to the one for Log4Shell, but without specific version ranges. If you don't have access to the affected software's source code or configuration files, it may be difficult to determine if you're affected.
Fix source not specified.
Immediate mitigations:
- Set log4j2.formatMsgNoLookups=true as a JVM flag
- Remove the JndiLookup class: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class