You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Lucy Menon (Jira)" <ji...@apache.org> on 2021/12/14 01:11:00 UTC

[jira] [Created] (LOG4J2-3221) JNDI lookups in PatternFormatter (not message patterns) enabled in Log4j2 < 2.16.0

Lucy Menon created LOG4J2-3221:
----------------------------------

             Summary: JNDI lookups in PatternFormatter (not message patterns) enabled in Log4j2 < 2.16.0
                 Key: LOG4J2-3221
                 URL: https://issues.apache.org/jira/browse/LOG4J2-3221
             Project: Log4j 2
          Issue Type: Bug
            Reporter: Lucy Menon


The mitigation advice for CVE-2021-4428 suggests that for Log4j > 2.10.0 and < 2.15.0, the vulnerability can be avoided by setting -{{{}Dlog4j2.formatMsgNoLookups=true{}}} or upgrading to 2.15.0. However, many users may not be aware that even in this case, lookups used in pattern formatters to provide specific pieces of context information will still recursively resolve, possibly triggering JNDI lookups. In order to avoid attacker-controlled JNDI lookups, users must also either:
 * Ensure that no such lookups resolve to attacker-provided data
 * Ensure that the the JndiLookup class is not loaded
 * Upgrade to log4j2 2.16.0 (untested)



--
This message was sent by Atlassian Jira
(v8.20.1#820001)