You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Matt Sicker (Jira)" <ji...@apache.org> on 2022/01/17 20:32:00 UTC

[jira] [Resolved] (LOG4J2-3320) log4j vulnerability / Mitigations

     [ https://issues.apache.org/jira/browse/LOG4J2-3320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Sicker resolved LOG4J2-3320.
---------------------------------
    Resolution: Information Provided

Your linked configuration looks fine. The only lookup you're using is the system properties lookup which has never been affected by the CVEs. You are also using the appropriate pattern layout options and not using the vulnerable way of doing so.

> log4j vulnerability / Mitigations
> ---------------------------------
>
>                 Key: LOG4J2-3320
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3320
>             Project: Log4j 2
>          Issue Type: Bug
>            Reporter: encryptomator
>            Priority: Major
>
> Hi,
> I have read that besides the JndiLookup classes, there are others that need to be removed.
> JndiManager, JMSAppender, SMTPAppender.
> Does anyone here know more about this?
> https://fossa.com/blog/quickly-find-remediate-log4j-vulnerabilities-log4shell/



--
This message was sent by Atlassian Jira
(v8.20.1#820001)