![]() On December 14, we finalized our rollout of mitigations for our use of Elasticsearch within and GitHub Enterprise Cloud. The mitigations detailed in our Decempost below remain effective and should be followed to secure instances of GitHub Enterprise Server. Our releases follow Elasticsearch’s mitigation suggestions and do not require an immediate update to Log4j 2.16. We have internally validated that our mitigation approach for CVE-2021-44228 in GitHub Enterprise Server (released on December 13 in patch version 3.3.1, 3.2.6, 3.1.14, and 3.0.22) also mitigates CVE-2021-45046 and other currently-published variants impacting Log4j. GitHub Enterprise ServerĮlasticsearch is currently the only known exposure to Log4j vulnerabilities in GitHub Enterprise Server. ![]() At this time, we have not identified any additional risk or exposure to GitHub internally or to our products.ĭetailed updates for our products are below, with no new action required by users at this time. Additionally, the GitHub Security Lab has engaged in further analysis to understand our products’ exposure and to actively review and evaluate the effectiveness of our previous mitigations. This week, we have continued to monitor the impact of these variants across our products and infrastructure. GitHub is tracking the latest updates regarding Log4j 2.15 and the subsequent release of Log4j 2.16 and CVE-2021-45046. This upgrade will decrease false positives from file-based vulnerability scanners.ĭecemupdate: we have added details of our continued response to CVE-2021-44228 and newly-discovered variants in Log4j We elected to update to this latest version of Log4j as part of our normal release cycle. Our initial configuration-based mitigation, detailed and released in GitHub Enterprise Server versions 3.3.1, 3.2.6, 3.1.14, and 3.0.22, still fully mitigates the risk of the Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. Today we released new versions of GitHub Enterprise Server ( 3.3.2, 3.2.7, 3.1.15, 3.0.23), which update our Log4j dependency to version 2.17.1. Januupdate: We have added details about the latest GitHub Enterprise Server release and Log4j
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |