I cannot understand what does this mean
Otherwise, in the configuration, remove references to Context Lookups
like ${ctx:loginId} or $${ctx:loginId} where they originate from
sources external to the application such as HTTP headers or user input.
1- Would you say what should I do exactly ?
2- Would you say what string should I looking for in Log4j-config.xsd ?
3- Do I have to looking for in Log4j-config.xsd ?
4- Would you say exactly what parameters should remove ?
BR
Quoting b...@virtualcdc.com:
Is that your means have to search "${ctx" in Log4j-config.xsd file ?
Would you say exactly what parameters need to remove from
Log4j-config.xsd file?
Quoting Tushar Kapila <tgkp...@gmail.com>:
Exact plain string (Non regex) to search would be
"${ctx"
"somekey" is a placeholder for name of variable.
On Mon, 20 Dec, 2021, 16:29 , <b...@virtualcdc.com> wrote:
I searched ${ctx:somekey} in the log4j-config.xsd file but could not
find anything .
Is that means that is enough If we upgrade to 2.17 or just remove the
class file?
Quoting Ralph Goers <ralph.go...@dslextreme.com>:
Removing JndiLookup helps by preventing the JNDI attack. You
absolutely need to do this if you do not upgrade.
For item 2 look at your log4j2 configuration file. If it contains
${ctx:somekey} then you need to understand how somekey is being
populated. I would venture to guess that most Log4j2 configurations
won’t have ${ctx: in them in which case there is nothing to do.
Ralph
On Dec 19, 2021, at 9:54 PM, b...@virtualcdc.com wrote:
Dear team
Hi.
According to Log4j vulnerability as I know one of the solution was
remove JndiLookup.class file from log4j-core-*.jar file .
But now we see other vulnerability :
upgrade to 2.17 or
Otherwise, in the configuration, remove references to Context
Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate
from sources external to the application such as HTTP headers or
user input.
1- Is that your mean remove class file (JndiLookup.class) cannot help
us ?
2- Would you please say how we can do this on Linux systems ?
in the configuration, remove references to Context Lookups like
${ctx:loginId} or $${ctx:loginId} where they originate from sources
external to the application such as HTTP headers or user input.
Best regards.
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
