[LOG4J2-3262] Log4j 2.x mitigations for CVE-45046 is insufficient - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Documentation
Labels:
- security

Description

The mitigation steps provided for CVE-2021-45046 for those who cannot upgrade to 2.16, seems insufficient. The current description for CVE-2021-45046 says it includes attacks using non-default Pattern Layout with a Context Lookup in the configuration.

The removal of JNDILookup class file isn't the only solution to curb this issue because the lookup still occurs when the config is loaded.

Hence the mitigation steps must include the removal of references to context lookups where the data comes from ThreadContext or from external sources at runtime. (similar to the one provided for CVE-2021-45105 or the same can be included here too)

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Sivakumar Sivaprahasam

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 20/Dec/21 14:05

Updated:: 29/Dec/21 06:27

Resolved:: 24/Dec/21 14:36