Java zero day needs to be patched log4j

[freaknik]

https://www.wired.com/story/log4j-flaw- ... -internet/

I have an old serviio so don't know if the current one is patched for this but it was just discovered and apache are working on it but they make it sound very bad.

On my version of serviio it has

C:\Program Files\Serviio\lib\slf4j-log4j12.jar
C:\Program Files\Serviio\lib\log4j.jar
C:\Program Files\Serviio\config\log4j.xml
C:\Program Files\Serviio\legal\Log4J-licence.txt

You probably already know but this would be worth upgrading to a new version for me to be safe (relatively speaking).

From what I can tell the latest version of Serviio is bundled with version 1.2.16 of log4j. This is an older version and is not susceptible to the current zero day vulnerability.

It would be good for others to check and confirm my findings.

This CVE does not affect serviio as it does not use Jndi over log4j and, furthermore, This vulnerability only affect to a subset of versions from the v2 branch of log4j and serviio uses v1. So, no problem!

Bolzass state that we don't need to worry because the new logj4 exploit does not affect the 1.2 version. On the contrary, the Apache site identifies a known exploit in the 1.2 version that will not be fixed by Apache because that version is end of life.

No cjohnmurphy, I stated it because it does not use Jndi over log4j . Read it better.
About Apache site, you are talking about CVE-2019-17571. Welcome, you arrived 2 years later.
Anyway, for wokers, Zip already upgraded log4j (welcome!, although v1 is not affected by this specific CVE-2021-44228 as it does not offer a look up mechanism);

Any plan to update log4j to 2.17.1? Even at 2.15.0, there are CVE fixed in 2.16.0, 2.17.0 and 2.17.1