You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Volkan Yazici (Jira)" <ji...@apache.org> on 2021/12/24 14:37:00 UTC

[jira] [Resolved] (LOG4J2-3262) Log4j 2.x mitigations for CVE-45046 is insufficient

     [ https://issues.apache.org/jira/browse/LOG4J2-3262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Volkan Yazici resolved LOG4J2-3262.
-----------------------------------
    Resolution: Fixed

> Log4j 2.x mitigations for CVE-45046 is insufficient
> ---------------------------------------------------
>
>                 Key: LOG4J2-3262
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3262
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Documentation
>            Reporter: Sivakumar Sivaprahasam
>            Priority: Major
>              Labels: security
>
> The mitigation steps provided for CVE-2021-45046 for those who cannot upgrade to 2.16, seems insufficient. The current description for CVE-2021-45-46 says it includes attacks using non-default Pattern Layout with a Context Lookup in the configuration.
> The removal of JNDILookup class file isn't the only solution to curb this issue because the lookup still occurs when the config is loaded. 
> Hence the mitigation steps must include the removal of references to context lookups where the data comes from ThreadContext or from external sources at runtime. (similar to the one provided for CVE-2021-45105 or the same can be included here too)



--
This message was sent by Atlassian Jira
(v8.20.1#820001)