Marcono1234 commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991396409
The latest Java versions are most likely still vulnerable to RCE. While they prevent loading classes from remote sources by default (`trustURLCodebase` property mentioned in the comments above), they still permit regular deserialization of classes on the classpath of the application. It has been shown multiple times in the past that JDK classes and classes from external libraries can be combined to create so called deserialization "gadget chains", which allow RCE. And even if for the libraries you are using no such gadget chain is publicly known, it is likely that it just has not been discovered or publicly disclosed yet. Could the misleading statement suggesting that certain Java versions are not affected by RCE please be removed from the CVE entry description? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
