ceki edited a comment on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992730958
Regarding `JMSAppender `vulnerability, it has to be placed in the log4j.xml configuration file with a corrupt parameter. If the log4j.xml configuration file is write protected for all users including its owner, it would be quite difficult to override it with corrupt instructions. For more details, please read [my log4jShell comments](http://slf4j.org/log4shell.html) In my opinion, protecting log4j.xml is actually as relevant as worrying about patching `JMSAppender`, if not more. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
