Is that your means have to search "${ctx" in Log4j-config.xsd file ?
Would you say exactly what parameters need to remove from
Log4j-config.xsd file?
Quoting Tushar Kapila <tgkp...@gmail.com>:
Exact plain string (Non regex) to search would be
"${ctx"
"somekey" is a placeholder for name of variable.
On Mon, 20 Dec, 2021, 16:29 , <b...@virtualcdc.com> wrote:
I searched ${ctx:somekey} in the log4j-config.xsd file but could not
find anything .
Is that means that is enough If we upgrade to 2.17 or just remove the
class file?
Quoting Ralph Goers <ralph.go...@dslextreme.com>:
> Removing JndiLookup helps by preventing the JNDI attack. You
> absolutely need to do this if you do not upgrade.
>
> For item 2 look at your log4j2 configuration file. If it contains
> ${ctx:somekey} then you need to understand how somekey is being
> populated. I would venture to guess that most Log4j2 configurations
> won’t have ${ctx: in them in which case there is nothing to do.
>
> Ralph
>
>> On Dec 19, 2021, at 9:54 PM, b...@virtualcdc.com wrote:
>>
>>
>> Dear team
>> Hi.
>>
>> According to Log4j vulnerability as I know one of the solution was
>> remove JndiLookup.class file from log4j-core-*.jar file .
>>
>> But now we see other vulnerability :
>>
>> upgrade to 2.17 or
>> Otherwise, in the configuration, remove references to Context
>> Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate
>> from sources external to the application such as HTTP headers or
>> user input.
>>
>> 1- Is that your mean remove class file (JndiLookup.class) cannot help
us ?
>> 2- Would you please say how we can do this on Linux systems ?
>> in the configuration, remove references to Context Lookups like
>> ${ctx:loginId} or $${ctx:loginId} where they originate from sources
>> external to the application such as HTTP headers or user input.
>>
>> Best regards.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
>> For additional commands, e-mail: log4j-user-h...@logging.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
> For additional commands, e-mail: log4j-user-h...@logging.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
