After 2.8.2, there's a class whitelist used for deserializing data in the receiver.
On 7 February 2018 at 12:19, Gintautas Grigelionis <g.grigelio...@gmail.com> wrote: > Sorry, could you please clarify whether there different aspects pertaining > to 1.x and 2.x up to and after 2.8.2? > > Thanks, Gintas > > 2018-02-07 19:10 GMT+01:00 Matt Sicker <boa...@gmail.com>: > > > Based on that version, this is related to using Java serialization for > > logs. The general workaround here is to use a different format like JSON > > instead to avoid the vulnerability entirely. > > > > On 7 February 2018 at 12:03, Gintautas Grigelionis < > > g.grigelio...@gmail.com> > > wrote: > > > > > Exactly, what I meant is that it's worth pointing out that not even all > > > versions of log4j 2.x are safe. > > > > > > Gintas > > > > > > 2018-02-07 18:18 GMT+01:00 Stefan Bodewig <bode...@apache.org>: > > > > > > > On 2018-02-07, Gintautas Grigelionis wrote: > > > > > > > > > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not > > > only > > > > > Log4j 1.x issue. Did I miss something? > > > > > > > > The subject is how it has been reported to us. > > > > > > > > Prior to the latest releases you have not been able to use log4j2 so > > > > there is no reason to talk about those versions. The recommended > > > > mitigation of "don't use Log4JListener or use the log4j2-bridge" is > > > > correct, one might add "of a log4j 2.x version that is not vulnerable > > to > > > > the attack". > > > > > > > > Stefan > > > > > > > > ------------------------------------------------------------ > --------- > > > > To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org > > > > For additional commands, e-mail: dev-h...@ant.apache.org > > > > > > > > > > > > > > > > > > > -- > > Matt Sicker <boa...@gmail.com> > > > -- Matt Sicker <boa...@gmail.com>
