I searched ${ctx:somekey} in the log4j-config.xsd file but could not
find anything .
Is that means that is enough If we upgrade to 2.17 or just remove the
class file?
Quoting Ralph Goers <ralph.go...@dslextreme.com>:
Removing JndiLookup helps by preventing the JNDI attack. You
absolutely need to do this if you do not upgrade.
For item 2 look at your log4j2 configuration file. If it contains
${ctx:somekey} then you need to understand how somekey is being
populated. I would venture to guess that most Log4j2 configurations
won’t have ${ctx: in them in which case there is nothing to do.
Ralph
On Dec 19, 2021, at 9:54 PM, b...@virtualcdc.com wrote:
Dear team
Hi.
According to Log4j vulnerability as I know one of the solution was
remove JndiLookup.class file from log4j-core-*.jar file .
But now we see other vulnerability :
upgrade to 2.17 or
Otherwise, in the configuration, remove references to Context
Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate
from sources external to the application such as HTTP headers or
user input.
1- Is that your mean remove class file (JndiLookup.class) cannot help us ?
2- Would you please say how we can do this on Linux systems ?
in the configuration, remove references to Context Lookups like
${ctx:loginId} or $${ctx:loginId} where they originate from sources
external to the application such as HTTP headers or user input.
Best regards.
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
