Hello,

Continue about Log4J vulnerabilities:

CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0) -> FIXED in Version 10.2.5 - OK

CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0) -> FIXED in Version 10.2.5 - OK

Is MWG affected?
CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)

Is MWG affected?
CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)

Any instruction about the mitigate the CVE(s): CVE-2021-4104 and CVE-2021-45106 or any prevision of new release with this corrections?


Best Regards,

DSO

New CVE-2021-44832.

Do any form of mitigation about this new CVE?

Best Regards

also the same Question, what about 2.17 ?

hi, 10.2.5 fixes the log4j vulnerability problem? that means it is not vulnerable

10.2.5 upgraded log4j library version to 2.16.0. This resolved the original Remote Code Execution vulnerability. 

The vulnerabilities associated with log4j discovered after the fact were all deemed to not affect MWG due to the configuration of Java on the system.

Regardless, I'd encourage you to limit WebUI access to those that should have it through Firewall policy.