Impact
Older versions of the log4j library have a RCE vulnerability (CVE-2021-44228). When callstats is not enabled, jigasi is not affected. jigasi versions prior to 1.1-216-ga2399b9 (Dec 10, 2021) may be affected by this vulnerability when callstats is enabled.
Patches
The problem has been patched in jigasi version 1.1-216-ga2399b9.
Workarounds
Loading the JVM with the -Dlog4j2.formatMsgNoLookups=true option should mitigate this issue for vulnerable versions.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
For more information
If you have any questions or comments about this advisory:
Impact
Older versions of the log4j library have a RCE vulnerability (CVE-2021-44228). When callstats is not enabled, jigasi is not affected. jigasi versions prior to 1.1-216-ga2399b9 (Dec 10, 2021) may be affected by this vulnerability when callstats is enabled.
Patches
The problem has been patched in jigasi version 1.1-216-ga2399b9.
Workarounds
Loading the JVM with the -Dlog4j2.formatMsgNoLookups=true option should mitigate this issue for vulnerable versions.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
For more information
If you have any questions or comments about this advisory: