Security Issue log4j

Hello Forum,
do we have a security problem using the FAF Client?
I have found three log4*.jar files in my FAF installation folder while scanning the whole pc.
log4j-api-2.14.1.jar
log4j-core-2.14.1.jar
log4j-to-slf4j-2.14.1.jar

Further Informations log4j:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046

Hey @KeuleGrob one of the client dependencies uses log4j however the client itself doesnt not use log4j. Also that dependency has all logging facilities disabled so there is no threat from log4j in the client

Hi Sheika, thanks for your fast reply.
I cannot evaluate the complex security circumstances in this special case.
Is it still possible to use the Log4j version > = 2.16 with the next patch ?

We have to get the dependency to update their dependencies but we are working with them to do so and should be updated next patch

@KeuleGrob

we don't need to update the log4j, we can simply set log4j2.formatMsgNoLookups = true
and the backdoor is closed.

@Uveso
I sincerely hope you are right. This security issue deletes our chrismas holidays include Weekend.
Where do i set the formatMsgNoLookups Parameter? Is there for example a XML configuration File in the FAF Client Folder?

If that dependency has all logging disabled anyways can you just delete the log4j jars?

Probably but haven't tested myself

and how did it all end here? deleted? turned off? have you come to terms with the current situation?

The dependency was updated to the newest log4j, although the client still never interacts with any of the logging there anyway.

@sheikah said in Security Issue log4j:

The dependency was updated to the newest log4j, although the client still never interacts with any of the logging there anyway.

cool! thank you for responding!