sellexx-stephan commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992997550
Thanks @zhangyoufu for your great workaround!
Thanks @remkop and all others here for caring!
about the hint given by zhangyoufu: "Just zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class to disable ${jndi:...}
functionality completely." in
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990305306
We are no java guys. So I need some more details about how to apply on MS
Windows Servers (for log4j-core-2.8.2.jar -files under openJDK 16). I guess
this is the way how to do:
- search for log4j-core-*.jar -files on your server using explorer.exe
- for each such file do (using commandline in cmd.exe):
- - go to the path of the file using cd -command
- - enter: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class , but do not send
- - replace the * in the filename with the characters necessary to make it
the real filename on your system
- - send it by hitting ENTER
- - if no reaction comes up, including no error message comes up, it is
successful
- - if sending it a second time, a nothing-to-do message will show up
meaning it can't remove a class if it has been already removed
Is this correct?
Do I have to reboot the server afterwards to make it be effective?
Or the other way round: does the effect of removing the class only exist
until reboot resulting that I would have to run the zip... command every time
after reboot?
(you see: non-java-guy asking questions ;-)
Thank you.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
