update guidance to use 2.17.0

lunasec-io · Dec 19, 2021 · c387156 · c387156
1 parent a33566d
commit c387156
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 8 deletions.
diff --git a/docs/blog/2021-12-09-log4j-zero-day.mdx b/docs/blog/2021-12-09-log4j-zero-day.mdx
@@ -101,7 +101,9 @@ Almost all versions of log4j version 2 are affected.
 
 :::caution Limited vulnerability in `2.15.0`
 As of Tuesday, Dec 14, version `2.15.0` was found to still have a possible [vulnerability in some apps](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f).
-We recommend updating to `2.16.0` which [disables](https://github.com/apache/logging-log4j2/commit/44569090f1cf1e92c711fb96dfd18cd7dccc72ea) JNDI and [completely removes](https://github.com/apache/logging-log4j2/pull/623) `%m{lookups}`.
+~We recommend updating to `2.16.0` which [disables](https://github.com/apache/logging-log4j2/commit/44569090f1cf1e92c711fb96dfd18cd7dccc72ea) JNDI and [completely removes](https://github.com/apache/logging-log4j2/pull/623) `%m{lookups}`.~
+We recommend updating to `2.17.0` which includes the fixes introduced in `2.16.0` as well as a fix for a [discovered denial
+of service (DOS) attack](https://logging.apache.org/log4j/2.x/security.html).
 :::
 ### log4j v1
 
@@ -296,6 +298,7 @@ methods are still prevalent.
 15. Updated contact information.
 16. Updated original twitter link from @P0rZ9 as the original tweet was deleted. Changed from `https://twitter.com/P0rZ9/status/1468949890571337731` to `https://web.archive.org/web/20211209230040/https://twitter.com/P0rZ9/status/1468949890571337731`
 17. Added links to other blog posts.
+18. Update post to include latest version 2.17.0 release.
 
 ### Editing this post
 

diff --git a/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx b/docs/blog/2021-12-12-log4j-zero-day-mitigation-guide.mdx
@@ -196,11 +196,13 @@ cd lunasec/tools/log4shell-jar-scripts
 ### Checking Package Version
 
 If you can check what versions of log4j2 are being used, you can check for any below the recently published 
-`2.16.0`.
+`2.17.0`.
 
 :::caution Limited vulnerability in `2.15.0`
 As of Tuesday, Dec 14, version `2.15.0` was found to still have a possible [vulnerability in some apps](https://logging.apache.org/log4j/2.x/security.html).
-We recommend updating to `2.16.0` which removes the message lookup feature entirely.
+~We recommend updating to `2.16.0` which removes the message lookup feature entirely.~
+We recommend updating to `2.17.0` which includes the fixes introduced in `2.16.0` as well as a fix for a [discovered denial
+of service (DOS) attack](https://logging.apache.org/log4j/2.x/security.html).
 :::
 
 #### log4j v2
@@ -214,9 +216,9 @@ still possibly vulnerable on `2.15.0`.
 
 #### log4j v1
 
-Version 1 of log4j is vulnerable to other RCE attacks (like 
+Version 1 of log4j is vulnerable to other RCE attacks (like
 [CVE-2019-17571](https://www.cvedetails.com/cve/CVE-2019-17571/)), and if you're using it you need to
-[migrate](https://logging.apache.org/log4j/2.x/manual/migration.html) to `2.16.0`.
+[migrate](https://logging.apache.org/log4j/2.x/manual/migration.html) to `2.17.0`.
 
 ### Checking Vendor Software Versions
 The above scanning tool might not work for vendor's packages because of obfuscation, and in any case, you'll likely need
@@ -245,9 +247,9 @@ visualization of the Log4Shell exploit.  Take note of the possible solutions (sh
 </a>
 
 
-### Option 1: Upgrading to 2.16.0
+### Option 1: Upgrading to 2.17.0
 
-Apache log4j has released a version that fixes the Log4Shell vulnerability as of version `2.16.0`. This version disables JNDI by 
+Apache log4j has released a version that fixes the Log4Shell vulnerability as of version `2.17.0`. This version disables JNDI by
 default and removes the message lookup feature.
 
 **[Apache log4j Download Page](https://logging.apache.org/log4j/2.x/download.html)**
@@ -259,14 +261,18 @@ Log4j version `2.15.0` which was previously thought to be secure has been found
 that could result in a DOS (but not RCE), users must update to `2.16.0`. 
 :::
 
+:::caution Version 2.16.0 vulnerable to DOS
+If you have updated Log4j to version `2.16.0`, a Denial of Service (DOS) attack is still present in [certain logging circumstances](https://logging.apache.org/log4j/2.x/security.html).
+:::
+
 ### Option 2: Enable `formatMsgNoLookups`
 :::warning This flag does not prevent all vulnerabilities
 As of Dec 14, it's been found that this flag is ineffective at stopping RCE in some situations,
 explained here [by log4j](https://logging.apache.org/log4j/2.x/security.html) and in
 [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046). We found the CVE wording confusing and
 are still investigating this vulnerability.
 
-You must update to `2.16.0` or use the JNDI patches below.
+You must update to `2.17.0` or use the JNDI patches below.
 :::
 The above release of log4j hardcodes the `formatMsgNoLookups` flag to true, ~~preventing the attack~~.  If you are using log4j
 version `2.10.0` to version `2.14.0` and can't yet update, you can still set the flag manually.