You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/12/11 04:41:54 UTC

[GitHub] [logging-log4j2] Marcono1234 edited a comment on pull request #608: Restrict LDAP access via JNDI

Marcono1234 edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991396409


   The latest Java versions are most likely still vulnerable to RCE. While they prevent loading classes from remote sources by default (`trustURLCodebase` property mentioned in the comments above), they still permit regular deserialization of classes on the classpath of the application. It has been shown multiple times in the past that JDK classes and classes from external libraries can be combined to create so called deserialization "gadget chains", which allow RCE.
   And even if for the libraries you are using no such gadget chain is publicly known, it is likely that it just has not been discovered or publicly disclosed yet.
   
   Could the misleading statement suggesting that certain Java versions are not affected by RCE please be removed from the CVE entry description and the GitHub advisory GHSA-jfh8-c2jp-5v3q?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org