Mitigating Apache Log4j (Log4Shell) Vulnerabilities

Overview

This topic describes the mitigation available for the recently identified log4j vulnerabilities, currently including the following:

Fixes for these vulnerabilities are included in upgrades to this and subsequent releases of TOS Aurora.

TOS Aurora R21-3

CVE Manual Mitigation
Without Requiring Upgrade
Scheduled Hotfix

CVE-2021-44228

  • Severity: Critical

  • Resolved in log4j 2.15.0

Not available

Resolved in TOS Aurora R21-3 PGA.1.0

CVE-2021-45046

  • Severity: updated from Low to Critical

  • Resolved in log4j 2.16.0

Not available

Resolved in TOS Aurora R21-3 PGA.1.0

CVE-2021-45105

  • Severity: High

  • Resolved in log4j 2.17.0

Not available

Resolved in TOS Aurora R21-3 PGA.1.0

CVE-2021-44832

  • Severity: Medium

  • Resolved in log4j 2.17.1

Not available

Resolved in TOS Aurora R21-3 PHF1.0.0

TOS Aurora R21-2

CVE Manual Mitigation
Without Requiring Upgrade
Scheduled Hotfix

CVE-2021-44228

  • Severity: Critical

  • Resolved in log4j 2.15.0

Not available

Resolved in TOS Aurora R21-2 PHF1.1.0

CVE-2021-45046

  • Severity: updated from Low to Critical

  • Resolved in log4j 2.16.0

Not available

Resolved in TOS Aurora R21-2 PHF1.1.0

CVE-2021-45105

  • Severity: High

  • Resolved in log4j 2.17.0

Not available

Resolved in TOS Aurora R21-2 PHF2.0.0

CVE-2021-44832

  • Severity: Medium

  • Resolved in log4j 2.17.1

Not available

Not planned.

Upgrade to a more recent version of TOS that includes this fix

TOS Aurora R21-1 or earlier

Upgrade to a supported TOS Aurora release that includes the CVE fix.