[
https://issues.apache.org/jira/browse/LOG4J2-3262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17465041#comment-17465041
]
Volkan Yazici commented on LOG4J2-3262:
---------------------------------------
Thanks so much for the heads up [~sivakumarsivaprahasam]! The issue you have
raised should have been addressed. Would you mind checking [the security
page|https://logging.apache.org/log4j/2.x/security.html] again and closing this
ticket (if you think your remarks were addressed), please?
Next time, please consider opening a PR targeting the {{release-2.x}} branch
instead.
> Log4j 2.x mitigations for CVE-45046 is insufficient
> ---------------------------------------------------
>
> Key: LOG4J2-3262
> URL: https://issues.apache.org/jira/browse/LOG4J2-3262
> Project: Log4j 2
> Issue Type: Bug
> Components: Documentation
> Reporter: Sivakumar Sivaprahasam
> Priority: Major
> Labels: security
>
> The mitigation steps provided for CVE-2021-45046 for those who cannot upgrade
> to 2.16, seems insufficient. The current description for CVE-2021-45-46 says
> it includes attacks using non-default Pattern Layout with a Context Lookup in
> the configuration.
> The removal of JNDILookup class file isn't the only solution to curb this
> issue because the lookup still occurs when the config is loaded.
> Hence the mitigation steps must include the removal of references to context
> lookups where the data comes from ThreadContext or from external sources at
> runtime. (similar to the one provided for CVE-2021-45105 or the same can be
> included here too)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
