[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458296#comment-17458296
]
Alexander Yastrebov commented on LOG4J2-3214:
---------------------------------------------
> The system property/environment variable does not have "evidence" that is
> working
Environment variable is easier to set system-wide on the infrastructure level
(e.g. in Kubernetes admission controller)
> For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}}
I think the version range should include all versions, i.e. right boundary
should be the latest affected version. If users go for patching the library
they might want to patch all the versions instead of applying different fixes
for different versions
> update security page text for CVE-2021-44228
> --------------------------------------------
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
> Affects Versions: 2.15.0
> Reporter: Remko Popma
> Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
> ----
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation
> techniques, ordered from the most recommended approach to the least.
> # Upgrade to a version >=2.15.0 or later
> # For releases >=2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> # For releases >=2.7 and <=2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{}}}} instead of just {{%m}}
> ** use {{{}%msg{nolookups{}}}} instead of just {{%msg}}
> ** use {{{}%message{nolookups{}}}} instead of just {{%message}}
> # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from
> the classpath: {{zip \-q \-d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
