GHSA-94G7-HPV8-H9QM
Vulnerability from github – Published: 2021-12-14 21:46 – Updated: 2025-08-07 14:10Impact
Logging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input.
More Details: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
Patches
Version 1.11.1 of the Splunk Logging for Java library.
There is also a backport to version 1.6.2 released as a patch: 1.6.2-0-0.
Workarounds
If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set on both client- and server-side components.
References
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
For more information
If you have any questions or comments about this advisory: * Open an issue in https://github.com/splunk/splunk-library-javalogging/issues * Email us at devinfo@splunk.com
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.splunk.logging:splunk-library-javalogging"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.11.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.splunk.logging:splunk-library-javalogging"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.2-0-0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2021-12-14T20:00:34Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\nLogging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input.\n\nMore Details:\nhttps://github.com/advisories/GHSA-jfh8-c2jp-5v3q\n\n### Patches\nVersion 1.11.1 of the Splunk Logging for Java library.\n\nThere is also a backport to version 1.6.2 released as a patch: 1.6.2-0-0.\n\n### Workarounds\nIf upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set on both client- and server-side components.\n\n### References\nhttps://github.com/advisories/GHSA-jfh8-c2jp-5v3q\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in https://github.com/splunk/splunk-library-javalogging/issues\n* Email us at [devinfo@splunk.com](mailto:devinfo@splunk.com)",
"id": "GHSA-94g7-hpv8-h9qm",
"modified": "2025-08-07T14:10:22Z",
"published": "2021-12-14T21:46:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/splunk/splunk-library-javalogging/security/advisories/GHSA-94g7-hpv8-h9qm"
},
{
"type": "PACKAGE",
"url": "https://github.com/splunk/splunk-library-javalogging"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Remote code injection in Log4j"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.