Affected by Log4shell?
schmensch opened this issue · 3 comments
log4j recently had 2 major vulnerabilities, rated 9 and 10 on the severity rating. Is C2ME patched against this? According to build.gradle, it depends on the still very vulnerable log4j 2.14 and not patched log4j 2.16.
I believe Fabric Loader itself protects all mods from the vulnerability of the exploit. Don’t quote me on that though.
As of right now the original log4shell exploit has been mitigated in dev environments but, some additional exploits still remain possible. Fabric loader should be updated to 0.12.12
in the gradle.properties
to patch CVE-2021-44228 in dev environments. (This is different than the original attack but just as dangerous) Gradle should also be updated to 7.3.2 as it patches a log4j exploit (CVE number not provided in change log). This can be done by running ./gradlew wrapper --gradle-version=7.3.2
(mac and Linux) or gradlew wrapper --gradle-version=7.3.2
(Windows CMD) in the project's directory via the terminal. Doing this vs just changing the distributionUrl
will allow the gradlew scripts to be updated as they are out of date.