On Tue, 14 Dec 2021 10:38:43 -0500, Phil Smith III <[email protected]> wrote:
>Making things even more confusing, there are lots of ways to use log4j, only >some of which expose this vulnerability. For example, Splunk uses it, but >says the exploit matters on "All supported non-Windows versions of 8.1.x and >8.2.x only if Hadoop (Hunk) and/or DFS are used." > > > >It appears that the offending libraries are always installed, so some/many >systems will show up in scans, but are not really at risk. The good news is >that in those cases, those jars can be renamed/moved/removed to clear up the >false positive. you bring up a good point. there are hits for this in base JAVA V8 both 31bit and 64bit, so consequently, any JAVA based app could be using, without actually including their own copy of log4j. That also means that the local workaround is a bit more difficult too, as the override isn't a global change, unless I am misunderstanding? Isnt this a run-time option? ‐Dlog4j2.formatMsgNoLookups=True No one has said if there is a method to set this as a default in JAVA itself if no one specifies something different. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
