• Login
    • Search
    • Categories
    • Recent
    • Tags
    • Users
    • Groups
    • Rules
    • Help

    Do more on the web, with a fast and secure browser!

    Download Opera browser with:

    • built-in ad blocker
    • battery saver
    • free VPN
    Download Opera

    Is Opera 82.0.4227.33 protected by Log4Shell attacks?

    Opera for Windows
    4
    6
    2172
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nephtys59
      nephtys59 last edited by leocg

      Is Opera 82.0.4227.33 protected by Log4Shell attacks?

      See:
      https://nvd.nist.gov/vuln/detail/CVE-2021-44228
      https://nvd.nist.gov/vuln/detail/CVE-2021-45046

      Thanks!

      Reply Quote 1
        leocg 1 Reply Last reply
      • leocg
        leocg Moderator Volunteer @nephtys59 last edited by

        @nephtys59 Opera uses it?

        Reply Quote 0
          nephtys59 1 Reply Last reply
        • nephtys59
          nephtys59 @leocg last edited by

          @leocg I don't know, can't find anything on the Internet. I only read articles in my language (italian) saying that chrome, opera and edge browsers might be affected.

          Reply Quote 1
            blackbird71 1 Reply Last reply
          • blackbird71
            blackbird71 @nephtys59 last edited by blackbird71

            @nephtys59 Log4j2 is a logging package for Java that responds to "calls" made to its library (but which, in the case of the vulnerability, can be made to introduce all manner of unauthorized commands into the host system). Hence, the primary log4j2 vulnerability (CVE-2021-44228, CVE-2021-45046) rests with systems running Java applications or that interface in certain ways with systems running such Java applications. As a result, the ultimate solution to this primarily rests with operators of such systems updating their log4j2 libraries to log4j2.16 or later (an initial log4j2.15 "fix" was found to still have some weaknesses). Given that in the real world, Java applications can exist in myriad places and be deeply embedded into all manner of systems and servers, it's likely that the vulnerability may unfortunately remain with us for a long time to come.

            The question you raised is to what extent a web browser can be impacted by the log4j2 issue. If the browser itself doesn't contain Java calls (not to be confused with the unrelated JavaScript language) or coding modules, then the browser isn't directly affected by the vulnerability. If the browser does contain Java linkages, then it can in theory be affected by the vulnerability even if a vulnerable log4j2 package resides on a server with which the browser is communicating. Whether Opera (or any other browser) contains any Java linkages is for its developers to state.

            That said, even without Java linkages existing in a browser, any server (including web site servers or whatever they themselves may link to) that contains a vulnerable log4j2 package version is susceptible to being hacked in almost any conceivable manner. That, in turn, means the potential for website hacking (even for otherwise "safe" or reputable sites) goes up greatly in the Internet world... and that presents increased risks for all web browsing regardless of the browser. Keeping a browser up to its latest version is a primary defense against a hacked website causing grief to the user's system by exploitation of a browser flaw. But there is little defense against a hacked website itself abusing a user's data if it involves the user logging in and/or supplying personal/financial information to the 'trusted' site. That's where a lot of the current concern about this issue really rests.

            Reply Quote 2
              1 Reply Last reply
            • blackbird71
              blackbird71 last edited by blackbird71

              And now... yet another vulnerability has shown up in the Log4Shell saga: CVE-2021-45105. Apparently, the Log4j2.16 patch has its own issues with that, and so it's been replaced by yet another patch version: Log4j2.17. (https://www.theregister.com/2021/12/19/log4j_new_flaw_cve_2021_45105/ )

              It looks increasingly like this is becoming a Pandora's box of problems...

              Reply Quote 0
                sgunhouse 1 Reply Last reply
              • sgunhouse
                sgunhouse Moderator Volunteer @blackbird71 last edited by

                @blackbird71 Java always was, which is why browsers stopped supporting it.

                Reply Quote 0
                  1 Reply Last reply
                • Locked by  leocg leocg 
                • First post
                  Last post

                Computer browsers

                • Opera for Windows
                • Opera for Mac
                • Opera for Linux
                • Opera beta version
                • Opera USB

                Mobile browsers

                • Opera for Android
                • Opera Mini
                • Opera Touch
                • Opera for basic phones

                • Add-ons
                • Opera account
                • Wallpapers
                • Opera Ads

                • Help & support
                • Opera blogs
                • Opera forums
                • Dev.Opera

                • Security
                • Privacy
                • Cookies Policy
                • EULA
                • Terms of Service

                • About Opera
                • Press info
                • Jobs
                • Investors
                • Become a partner
                • Contact us

                Follow Opera

                • Opera - Facebook
                • Opera - Twitter
                • Opera - YouTube
                • Opera - LinkedIn
                • Opera - Instagram

                © Opera Software 1995-