[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458489#comment-17458489
]
Steve Parker commented on LOG4J2-3214:
--------------------------------------
{noformat}
The reason we single out this version range 2.0-beta9 to <2.7 is because for
this version range, modifying the log4j-core JAR is the only mitigation
mechanism available*no* further _formatting_ is done here{noformat}
In 2.0-beta9, the Interpolator class always tries to load the JndiLookup class
so if it the class is removed from the jarfile, an unhandled exception will be
thrown.
See [Interpolator.java
2..0-beta9|https://github.com/apache/logging-log4j2/blob/log4j-2.0-beta9/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java]
In later versions, it tries to load the class first and handles any exception
as a Warning
See [Interpolator.java
2.15.0|https://github.com/apache/logging-log4j2/blob/rel/2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java]
Applications using 2.0-beta9 that don't handle the exception may not start if
the JndiLookup class is not found.
> Update security page text for CVE-2021-44228
> --------------------------------------------
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
> Affects Versions: 2.15.0
> Reporter: Remko Popma
> Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
> ----
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below.
> * Upgrade to release 2.15.0 or later
> * For releases >= 2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{}}}} instead of just {{%m}}
> ** use {{{}%msg{nolookups{}}}} instead of just {{%msg}}
> ** use {{{}%message{nolookups{}}}} instead of just {{%message}}
> * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the
> {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
