Removing JndiLookup helps by preventing the JNDI attack. You absolutely need to
do this if you do not upgrade.
For item 2 look at your log4j2 configuration file. If it contains
${ctx:somekey} then you need to understand how somekey is being populated. I
would venture to guess that most Log4j2 configurations won’t have ${ctx: in
them in which case there is nothing to do.
Ralph
> On Dec 19, 2021, at 9:54 PM, b...@virtualcdc.com wrote:
>
>
> Dear team
> Hi.
>
> According to Log4j vulnerability as I know one of the solution was remove
> JndiLookup.class file from log4j-core-*.jar file .
>
> But now we see other vulnerability :
>
> upgrade to 2.17 or
> Otherwise, in the configuration, remove references to Context Lookups like
> ${ctx:loginId} or $${ctx:loginId} where they originate from sources external
> to the application such as HTTP headers or user input.
>
> 1- Is that your mean remove class file (JndiLookup.class) cannot help us ?
> 2- Would you please say how we can do this on Linux systems ?
> in the configuration, remove references to Context Lookups like
> ${ctx:loginId} or $${ctx:loginId} where they originate from sources external
> to the application such as HTTP headers or user input.
>
> Best regards.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
> For additional commands, e-mail: log4j-user-h...@logging.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
