Exact plain string (Non regex) to search would be
"${ctx"
"somekey" is a placeholder for name of variable.
On Mon, 20 Dec, 2021, 16:29 , <b...@virtualcdc.com> wrote:
> I searched ${ctx:somekey} in the log4j-config.xsd file but could not
> find anything .
> Is that means that is enough If we upgrade to 2.17 or just remove the
> class file?
>
>
> Quoting Ralph Goers <ralph.go...@dslextreme.com>:
>
> > Removing JndiLookup helps by preventing the JNDI attack. You
> > absolutely need to do this if you do not upgrade.
> >
> > For item 2 look at your log4j2 configuration file. If it contains
> > ${ctx:somekey} then you need to understand how somekey is being
> > populated. I would venture to guess that most Log4j2 configurations
> > won’t have ${ctx: in them in which case there is nothing to do.
> >
> > Ralph
> >
> >> On Dec 19, 2021, at 9:54 PM, b...@virtualcdc.com wrote:
> >>
> >>
> >> Dear team
> >> Hi.
> >>
> >> According to Log4j vulnerability as I know one of the solution was
> >> remove JndiLookup.class file from log4j-core-*.jar file .
> >>
> >> But now we see other vulnerability :
> >>
> >> upgrade to 2.17 or
> >> Otherwise, in the configuration, remove references to Context
> >> Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate
> >> from sources external to the application such as HTTP headers or
> >> user input.
> >>
> >> 1- Is that your mean remove class file (JndiLookup.class) cannot help
> us ?
> >> 2- Would you please say how we can do this on Linux systems ?
> >> in the configuration, remove references to Context Lookups like
> >> ${ctx:loginId} or $${ctx:loginId} where they originate from sources
> >> external to the application such as HTTP headers or user input.
> >>
> >> Best regards.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
> >> For additional commands, e-mail: log4j-user-h...@logging.apache.org
> >>
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
> > For additional commands, e-mail: log4j-user-h...@logging.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
> For additional commands, e-mail: log4j-user-h...@logging.apache.org
>
>
