[Bezpečnostní varování] - Chyba zabezpečení v knihovně Apache Log4j

[lars]

Vulnerability in Apache Log4j Library

Release date: December 14, 2021
Security ID: QSA-21-58
CVE identifier: CVE-2021-44228
Affected products: QNAP NAS running certain applications
Status: Investigating

Summary
A vulnerability has been reported to affect the Apache Log4j Java logging library. If exploited, this vulnerability allows attackers to execute arbitrary code. The vulnerability was disclosed on December 9, 2021:

- CVE-2021-44228: Apache Log4j 2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints

We have determined that the QTS and QuTS hero operating systems are not affected.
For applications which depend on Java Runtime Environment, our current findings are as follows.

Celý článek: https://www.qnap.com/cs-cz/security-advisory/qsa-21-58