On December 9, Apache confirmed a new zero-day vulnerability impacting the Apache Log4j utility. Carrier is executing Emergency Patch Deployment (EPD) for Apache Log4j Zero-day Remote Code Execution (RCE) Vulnerability (CVE-2021-44228). This allows a remote attacker to take control of an affected system. For additional details about this vulnerability, affected versions and solutions, please reference the Apache Logging Services alert.
Carrier suggested to make below changes on or before December 15:
- Upgrade all related Apache Log4j2 applications to the latest log4j-2.15.0 version.
- Set log4j2.formatMsgNoLookupsto true
Please Suggest if we need any action to take care on Gitlab application.