Graylog and the CVE-2021-45046 vulnerability

As Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) | LunaSec says setting noMsgFormatLookups to True will not work any more. The current Graylog update only includes setting the noMsgFormatLookups variable.

When can we expect that this issue get solved?

See Fixes for log4j CVE-2021-44228 by mpfz0r · Pull Request #11786 · Graylog2/graylog2-server · GitHub

That’s not correct. We also updated log4j to 2.15.0. We just added the noMsgFormatLookups setting as a second measure.

Im currently upgrade Graylog to version 3.3.15, just wondering if that include the fix for the last issue mentioned here or a new image is going to be created, I will appreciate your comments on this

It could not to be enouch, but case dependent, log4j 2.16.0 is already released.

How to update log4j from 2.11.1 to 2.16.0 ?
i use graylog 4.2.3 and elasticsearch 7.10.2 build oss

Update graylog 2 the latest version you even get log4j 2.16 with it :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.