You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/12/16 11:33:37 UTC
[GitHub] [logging-log4j2] SkySwimmer opened a new pull request #633: Completely disable JNDI, to patch CVE-2021-44228
SkySwimmer opened a new pull request #633:
URL: https://github.com/apache/logging-log4j2/pull/633
I have completely removed JNDI from the Interpolator, so that the CVE-2021-44228 exploit will not be able to call LDAP.
```java
// Interpolator.java (org.apache.logging.log4j.core.lookup.Interpolator)
// ...
strLookupMap.put("base64", new Base64StrLookup());
strLookupMap.put("lower", new LowerLookup());
strLookupMap.put("upper", new UpperLookup());
- // JNDI
- if (JndiManager.isJndiEnabled()) {
- try {
- // [LOG4J2-703] We might be on Android
- strLookupMap.put(LOOKUP_KEY_JNDI,
- Loader.newCheckedInstanceOf("org.apache.logging.log4j.core.lookup.JndiLookup", StrLookup.class));
- } catch (final LinkageError | Exception e) {
- handleError(LOOKUP_KEY_JNDI, e);
- }
- }
// ...
```
I hope this helps.
\- Sky Swimmer - AerialWorks Software Foundation
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [logging-log4j2] SkySwimmer closed pull request #633: [possibly redundant] Completely disable JNDI in Interpolator.java, in the hope to patch CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
SkySwimmer closed pull request #633:
URL: https://github.com/apache/logging-log4j2/pull/633
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [logging-log4j2] SkySwimmer commented on pull request #633: [possibly redundant] Completely disable JNDI in Interpolator.java, in the hope to patch CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
SkySwimmer commented on pull request #633:
URL: https://github.com/apache/logging-log4j2/pull/633#issuecomment-995756888
Sorry about the capitalization of the title
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [logging-log4j2] SkySwimmer edited a comment on pull request #633: Completely disable JNDI in Interpolator.java, in the hope to patch CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
SkySwimmer edited a comment on pull request #633:
URL: https://github.com/apache/logging-log4j2/pull/633#issuecomment-995739315
Sorry if this patch is redundant, i wasn't sure it was patched already
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [logging-log4j2] SkySwimmer commented on pull request #633: Completely disable JNDI in Interpolator.java, in the hope to patch CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
SkySwimmer commented on pull request #633:
URL: https://github.com/apache/logging-log4j2/pull/633#issuecomment-995739315
Sorry if this patch is redundant, i wasn't sure it was patched anymore
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org