[jira] [Commented] (LOG4J2-3262) Log4j 2.x mitigations for CVE-45046 is insufficient

["Volkan Yazici (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/LOG4J2-3262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17465041#comment-17465041 ] 

Volkan Yazici commented on LOG4J2-3262:
---------------------------------------

Thanks so much for the heads up [~sivakumarsivaprahasam]! The issue you have raised should have been addressed. Would you mind checking [the security page|https://logging.apache.org/log4j/2.x/security.html] again and closing this ticket (if you think your remarks were addressed), please?

Next time, please consider opening a PR targeting the {{release-2.x}} branch instead.

> Log4j 2.x mitigations for CVE-45046 is insufficient
> ---------------------------------------------------
>
>                 Key: LOG4J2-3262
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3262
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Documentation
>            Reporter: Sivakumar Sivaprahasam
>            Priority: Major
>              Labels: security
>
> The mitigation steps provided for CVE-2021-45046 for those who cannot upgrade to 2.16, seems insufficient. The current description for CVE-2021-45-46 says it includes attacks using non-default Pattern Layout with a Context Lookup in the configuration.
> The removal of JNDILookup class file isn't the only solution to curb this issue because the lookup still occurs when the config is loaded. 
> Hence the mitigation steps must include the removal of references to context lookups where the data comes from ThreadContext or from external sources at runtime. (similar to the one provided for CVE-2021-45105 or the same can be included here too)



--
This message was sent by Atlassian Jira
(v8.20.1#820001)