Log4j Critical Vulnerability - Remote Code Injection

[jekhokie]

Based on GHSA-jfh8-c2jp-5v3q
"Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser."
In addition, according to CVE-2021-4104, Log4j 1.2 is subject to similar RCE when JMSAppenders are used, and Log4j 1.x is well out of support at this time.

It's advised to migrate to Log4j 2.16.0 at this time. Based on the severity of the issue, request that this be dealt with via a backport approach if at all possible. Would it be possible to migrate to Log4j 2.16.0 to mitigate the risk to anyone using this application?

Thank you!

[thomaslaw]

Hi Justin,

We are aware of the issue. However, can you follow the process described on CONTRIBUTING.md? This will ensure the issue is properly triaged and acknowledged by Linkedin Security.

I will leave this Issue open until we have the appropriate changes merged.

FYI @atoomula

Thanks,
Thomas