[
https://issues.apache.org/jira/browse/LOG4J2-3221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460636#comment-17460636
]
Lloyd Fernandes commented on LOG4J2-3221:
-----------------------------------------
Just a feedback on the note: "{_}Note that only the log4j-core JAR file is
impacted by this vulnerability. Applications using only the log4j-api JAR file
without the log4j-core JAR file are not impacted by this vulnerability.{_}",
Does the log4j community think it would be good to add the additional note to
have teams/apps to ensure that having dependencies on both log4j-core and
log4j-api should ensure to keep their versions in sync? It might be very basic,
but i know guys out there asking if we should be upgrading the api version as
well.
I ran across an error, which was resolved after i updated the log4j-api version
to sync up with 2.16.
{code:java}
// code placeholder
java.lang.NoSuchFieldError: EMPTY_BYTE_ARRAY
at
org.apache.logging.log4j.core.config.ConfigurationSource.<clinit>(ConfigurationSource.java:56)
at
org.apache.logging.log4j.core.config.NullConfiguration.<init>(NullConfiguration.java:32)
at
org.apache.logging.log4j.core.LoggerContext.<clinit>(LoggerContext.java:85)
at
org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.createContext(ClassLoaderContextSelector.java:254)
at
org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.locateContext(ClassLoaderContextSelector.java:218)
at
org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.getContext(ClassLoaderContextSelector.java:140)
at
org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.getContext(ClassLoaderContextSelector.java:123)
at
org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:230)
at
org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:47)
at org.apache.logging.log4j.LogManager.getContext(LogManager.java:174)
at org.apache.logging.log4j.LogManager.getLogger(LogManager.java:669) {code}
> JNDI lookups in layout (not message patterns) enabled in Log4j2 < 2.16.0
> ------------------------------------------------------------------------
>
> Key: LOG4J2-3221
> URL: https://issues.apache.org/jira/browse/LOG4J2-3221
> Project: Log4j 2
> Issue Type: Bug
> Reporter: Lucy Menon
> Priority: Major
> Fix For: 2.16.0
>
>
> The mitigation advice for CVE-2021-4428 suggests that for Log4j > 2.10.0 and
> < 2.15.0, the vulnerability can be avoided by setting
> -{{{}Dlog4j2.formatMsgNoLookups=true{}}} or upgrading to 2.15.0. However,
> many users may not be aware that even in this case, lookups used in layouts
> to provide specific pieces of context information will still recursively
> resolve, possibly triggering JNDI lookups. In order to avoid
> attacker-controlled JNDI lookups, users must also either:
> * Ensure that no such lookups resolve to attacker-provided data
> * Ensure that the the JndiLookup class is not loaded
> * Upgrade to log4j2 2.16.0 (untested)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
