You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/12/10 19:34:18 UTC

[GitHub] [logging-log4j2] vy commented on pull request #608: Restrict LDAP access via JNDI

vy commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991241208


   **For those who are looking for a JRE/JDK version to mitigate the problem**, please don't! CVE-2021-44228 creates a large attack surface depending on the imagination of the attacker and an RCE is just one of them. I would strongly advise you to avoid having a false conclusion by relying on a JVM feature targeting a certain attack vector; there are more vectors. Simply either bump `log4j-core` to 2.15.0 or set `log4j2.formatMsgNoLookups=true` system property.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org