Severity
Critical
Vendor
The Apache Software Foundation
Versions Affected
Apache JSPWiki 2.11.0
Description
Apache JSPWiki, 2.11.0 release is using a bundled version of the Apache Log4J library vulnerable to Remote Code Execution. For full impact and additional detail consult the Log4J security page.
Apache JSPWiki releases prior to 2.11.0 use Log4J 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for discussion.
Mitigation
Any of the following are enough to prevent this vulnerability for Apache JSPWiki installations:
References
https://logging.apache.org/log4j/2.x/security.html