[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462850#comment-17462850
]
William Tulaba commented on LOG4J2-3230:
----------------------------------------
[~pmalone] Thank you for asking the question.
I'm trying to see what the exposure is as well based on this line from the
history section.
“{_}The safest thing to do is to upgrade Log4j to a safe version, or remove the
JndiLookup class from the log4j-core jar.{_}”
In the 2.15 section, it is suggested to upgrade to 2.16, or...
* _Otherwise, in any release other than 2.16.0, you may remove the JndiLookup
class from the classpath: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class_
So the question I have as many others,
If the workaround for an older version was done, do we need to apply the
workaround listed in 2.17 until we can complete an update to 2.17.
or is the removal of the JndiLookup class sufficient to not allow the
CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228?
> Certain strings can cause infinite recursion
> --------------------------------------------
>
> Key: LOG4J2-3230
> URL: https://issues.apache.org/jira/browse/LOG4J2-3230
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1,
> 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1,
> 2.15.0, 2.16.0
> Reporter: Ross Cohen
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.17.0
>
> Attachments: sample.tar.gz
>
>
> If a string substitution is attempted for any reason on the following string,
> it will trigger an infinite recursion, and the application will crash:
> ${${::\-${::\-$${::\-j}}}}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
