You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Lucy Menon (Jira)" <ji...@apache.org> on 2021/12/14 15:40:00 UTC

[jira] [Commented] (LOG4J2-3221) JNDI lookups in layout (not message patterns) enabled in Log4j2 < 2.16.0

    [ https://issues.apache.org/jira/browse/LOG4J2-3221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459255#comment-17459255 ] 

Lucy Menon commented on LOG4J2-3221:
------------------------------------

Confirmed that Log4j2 2.16.0 prevents the jndi lookup entirely on my demo case.

> JNDI lookups in layout (not message patterns) enabled in Log4j2 < 2.16.0
> ------------------------------------------------------------------------
>
>                 Key: LOG4J2-3221
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3221
>             Project: Log4j 2
>          Issue Type: Bug
>            Reporter: Lucy Menon
>            Priority: Major
>
> The mitigation advice for CVE-2021-4428 suggests that for Log4j > 2.10.0 and < 2.15.0, the vulnerability can be avoided by setting -{{{}Dlog4j2.formatMsgNoLookups=true{}}} or upgrading to 2.15.0. However, many users may not be aware that even in this case, lookups used in layouts to provide specific pieces of context information will still recursively resolve, possibly triggering JNDI lookups. In order to avoid attacker-controlled JNDI lookups, users must also either:
>  * Ensure that no such lookups resolve to attacker-provided data
>  * Ensure that the the JndiLookup class is not loaded
>  * Upgrade to log4j2 2.16.0 (untested)



--
This message was sent by Atlassian Jira
(v8.20.1#820001)