jschauma commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-994182074
> The message lookup mitigations aren't sufficient to protect from either
the DoS or RCE attacks.
If mitigations, such as e.g., "-Dlog4j2.formatMsgNoLookups=true’" are
insufficient against RCE, is it in fact true that 2.15.0 itself is insufficient
against RCE?
The advisory is not quite clear on this and can be read either way ("2.15.0,
while vulnerable to DoS, is sufficient against RCE, while mitigations in
<2.15.0 are not" or "2.15.0 is vulnerable both to DoS and to RCE"), but since
it's my understanding that 2.15.0 is (effectively) functionally equivalent to
2.14.x with "-Dlog4j2.formatMsgNoLookups=true’", it seems to me that 2.15.0
remains vulnerable to RCE.
Is this interpretation correct?
In either case, can https://logging.apache.org/log4j/2.x/security.html and
the CVE be updated to be very explicit about this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
