AssetData contains three Bill-Of-Materials files (they can be viewed with lsbom and created with mkbom). pre.bom states filesystem before update, post.bom - after and payload.bom describes the patches to be applied during update process. It also contains boot folder where bootchain-related files are stored (iBoot, kernelcache, etc.), payloadv2 or payload (depends on PackageVersion value of AssetData/Info.plist file) and Info.plist file which describes the update. Info.plist file from AssetData folder contains PackageVersion field which can be 1.0, 2.0 or 3.0.
All updates with 2.0 package version have payload folder inside AssetData instead of archive.cpio.gz file from 1.0 updates. It contains only two folders: added folder with unencrypted files which are to be added during update process and patches folder. patches folder is used to store BSDIFF40 patches that are applied to files during update process. They can be easily applied manually with bsdiff utility. patches folder file hierarchy is similar to devices root file system (ex. patch for /sbin/launchctl will be found at AssetData/payload/patches/sbin/launchctl). AssetData also contains payload.bom.signature that replaces Info.plist.signature. payload.bom.signature is used to check payload.bom which contains CRC32 of all files inside AssetData folder.
When dealing with different types of settings, an app version requirement would take precedence, followed by Android operating system version requirement and Android patch version requirement. Then, any warnings for all types of settings in the same order are checked.
Government entities, such as CISA and the FTC, have reinforced the importance of patching, along with leveraging fines against businesses failing to take action. While it has been a long-haul response effort, the importance of remediating software and systems vulnerable to Log4Shell remains clear.
Patches were made available to prevent code execution Log4J version 2.15.0, but these patches did not disable inline message lookup, which can expose things like environment variables and system configuration settings to an attacker that can observe the generated logs. Additional patches were made available in Log4J version 2.16.0 to make JNDI lookups disabled by default, limited to certain protocols, and only localhost allowed by default. Further patches have been made in Log4J version 2.17.0 to protect from uncontrolled recursion via self-referential lookups, along with additional patches in Log4J version 2.17.1 for limiting JNDI data source names to the java protocol. 2b1af7f3a8