Santa Claus Issues YuleLog4J AdvisoryDecember 24, 2021
Christmas revelers and elves are urged to patch their fireplaces, as a Remote Combustion Effect (RCE) vulnerability has been discovered in the traditional holiday YuleLog4J. YuleLog4J is one of the most popular holiday celebrations, appearing in approximately 64% of fireplaces and streamed to millions of homes over Netflix and Amazon Prime.
The vulnerability occurs in the Jingle Naming and Directory Interface (JNDI), a utility that enables lookups of holiday cheer from remote sources. Unpatched versions of YuleLog4J can load potentially un-cheerful items such as coal, traditionally reserved as a stocking stuffer. The advisory was managed through coordinated disclosure between the North Pole and the GiftHub Security Research Team.
Additional vulnerabilities have been detected that may impact holiday celebrations. Previous version of YuleLog4J are also at risk of a Denial of Santa (DoS) vulnerability in recursive lookups based when paired with untrusted kindling.
Mitigating Your Risk
Patches to defend the RCE are available in YuleLog4J 2.17.0.
Additional recommendations for a safe holiday are available in the Code of the Elves:
- Treat every day like Christmas.
- There’s room for everyone on the nice list.
- The best way to spread Christmas cheer is singing loud for all to hear.