You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Matt Sicker (Jira)" <ji...@apache.org> on 2021/12/16 16:50:00 UTC

[jira] [Resolved] (LOG4J2-3221) JNDI lookups in layout (not message patterns) enabled in Log4j2 < 2.16.0

     [ https://issues.apache.org/jira/browse/LOG4J2-3221?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Sicker resolved LOG4J2-3221.
---------------------------------
    Resolution: Fixed

> JNDI lookups in layout (not message patterns) enabled in Log4j2 < 2.16.0
> ------------------------------------------------------------------------
>
>                 Key: LOG4J2-3221
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3221
>             Project: Log4j 2
>          Issue Type: Bug
>            Reporter: Lucy Menon
>            Priority: Major
>             Fix For: 2.16.0
>
>
> The mitigation advice for CVE-2021-4428 suggests that for Log4j > 2.10.0 and < 2.15.0, the vulnerability can be avoided by setting -{{{}Dlog4j2.formatMsgNoLookups=true{}}} or upgrading to 2.15.0. However, many users may not be aware that even in this case, lookups used in layouts to provide specific pieces of context information will still recursively resolve, possibly triggering JNDI lookups. In order to avoid attacker-controlled JNDI lookups, users must also either:
>  * Ensure that no such lookups resolve to attacker-provided data
>  * Ensure that the the JndiLookup class is not loaded
>  * Upgrade to log4j2 2.16.0 (untested)



--
This message was sent by Atlassian Jira
(v8.20.1#820001)