tony-- edited a comment on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993170115
> > The confusion is made worse as this is a RedHat "CVE" which is not registered with cve.org. > > It was just pushed to cve.org and should be visible soon. We decided to keep the Red Hat allocated CVE to save creating yet another and rejecting theirs. The text of the entry was written by ASF. @iamamoose Can someone from ASF (who is involved with Log4j/Log4j 2, maybe whoever wrote the text for the CVE) confirm that an effective mitigation for CVE-2021-4104 is to remove JMSAppender from log4j-1.2.x.jar? Would it be possible to include that in the CVE description? This would be similar to the strategy identified for CVE-2021-44228 as well as the informal strategy used for CVE-2019-17571. It's clear based on all of the discussion that many are interested in how to deal with this in Log4j 1.x, so it would be great if there was a clear mitigation defined. If not in the CVE description, perhaps in a JIRA entry or a mailing list message? Is there a better place for me to request/propose this? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
