NeDi Community

NeDi General => News => Topic started by: Saguu on December 13, 2021, 10:36:34 am

Title: NeDi & CVE-2021-44228
Post by: Saguu on December 13, 2021, 10:36:34 am

Hello Remi,

Could you confirm (or not) that NeDi is not vulnerable to the Log4Shell vuln (CVE-2021-44228) ?

Many thanks

Title: Re: NeDi & CVE-2021-44228
Post by: Hannu Liljemark on December 13, 2021, 11:59:52 am

While you wait for Remo's reply, I guess you've verified that with eg. 2.0.120p3 install package the situation is:

# lsof | grep .jar | awk '{print $9}'|sort -u| xargs -I{} grep -s JndiLookup.class "{}"
#

$ find /var/nedi 2>/dev/null -regex ".*.jar" -type f | xargs -I{} grep JndiLookup.class "{}"
$

So JndiLookup.class is not used. As expected since Nedi doesn't use java...

Br,
Hannu

Title: Re: NeDi & CVE-2021-44228
Post by: Saguu on December 13, 2021, 12:31:09 pm

Thanks