Hey guys i find that there is a very bad vulnerability called log4j java how to get rid of it.
Fixed version of log4j is already available for rawhide and in updates testing for 35 (you can follow instructions in the Bodhi Update to install the fixed version if you need it), but if you aren’t running a server with a Java application you are probably safe anyway (log4j is not part of the default installation).
For more information check the CVE bug 2030945 – CVE-2021-44228 log4j: log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value [fedora-all]
10 Likes
The real problem is that log4j is embedded into many other products so upgrading the system version may not be enough. Most of these are server applications but some are clients which also provide server functionality. The most notable example of this is the Minecraft client.
5 Likes
Yes i just recently find this and that is extremely terrifying. as there are millions of devices that are vulnerable and it is happening right now and i find this that some devices are vulnerable with this attack so was not sure about fedora installation as and thanks for clarifying.
1 Like