1.0.5-HF2 #137
Replies: 1 comment
-
|
CVE-2021-44228 details a flaw that was found in the Java logging library Apache Log4j, in versions before 2.15.0, that are also running older JVMs. This allows an attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker’s JNDI LDAP URL and that LDAP server responds with a specially crafted payload. This release updates the version of Log4j in use to 2.15.0. This is not a critical risk for the earlier versions of the DOMI web application, as more recent JVMs default to not loading code over untrusted URLs. There is no attack vector for LDAP lookups on DOMI's web application using the Dockerfile. As always, consumers should be security conscious with all custom java code which they choose to upload to their environment. Consumers are requested to review in case of any customizations made to the default setup. There is no Java code in the Notes Client part of DOMI, so updates required to Notes Client implementations. |
Beta Was this translation helpful? Give feedback.
-
Updated web application to update Log4J to latest version
This discussion was created from the release 1.0.5-HF2.
Beta Was this translation helpful? Give feedback.
All reactions