https://issues.apache.org/bugzilla/show_bug.cgi?id=50323
Summary: Vulnerability in NTEventLogAppender
Product: Log4j
Version: 1.2
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: Appender
AssignedTo: [email protected]
ReportedBy: [email protected]
Log4j has a vulnerability in NTEventLogAppender.
NTEventLogAppender loads NTEventLogAppender.dll without specifying a fully
qualified path name as follows.
if (!loaded) {
System.loadLibrary("NTEventLogAppender");
}
org/apache/log4j/nt/NTEventLogAppender.java
Microsoft says that "use fully qualified paths for all calls to LoadLibrary".
http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-14-21/Secure-loading-of-libraries-to-prevent-DLL-Preloading.docx
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
