[jira] [Updated] (LOG4J2-3262) Log4j 2.x mitigations for CVE-45046 is insufficient

[Sivakumar Sivaprahasam (Jira)]

     [ 
https://issues.apache.org/jira/browse/LOG4J2-3262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sivakumar Sivaprahasam updated LOG4J2-3262:
-------------------------------------------
    Description: 
The mitigation steps provided for CVE-2021-45046 for those who cannot upgrade 
to 2.16, seems insufficient. The current description for CVE-2021-45046 says it 
includes attacks using non-default Pattern Layout with a Context Lookup in the 
configuration.

The removal of JNDILookup class file isn't the only solution to curb this issue 
because the lookup still occurs when the config is loaded. 

Hence the mitigation steps must include the removal of references to context 
lookups where the data comes from ThreadContext or from external sources at 
runtime. (similar to the one provided for CVE-2021-45105 or the same can be 
included here too)

  was:
The mitigation steps provided for CVE-2021-45046 for those who cannot upgrade 
to 2.16, seems insufficient. The current description for CVE-2021-45-46 says it 
includes attacks using non-default Pattern Layout with a Context Lookup in the 
configuration.

The removal of JNDILookup class file isn't the only solution to curb this issue 
because the lookup still occurs when the config is loaded. 

Hence the mitigation steps must include the removal of references to context 
lookups where the data comes from ThreadContext or from external sources at 
runtime. (similar to the one provided for CVE-2021-45105 or the same can be 
included here too)


> Log4j 2.x mitigations for CVE-45046 is insufficient
> ---------------------------------------------------
>
>                 Key: LOG4J2-3262
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3262
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Documentation
>            Reporter: Sivakumar Sivaprahasam
>            Priority: Major
>              Labels: security
>
> The mitigation steps provided for CVE-2021-45046 for those who cannot upgrade 
> to 2.16, seems insufficient. The current description for CVE-2021-45046 says 
> it includes attacks using non-default Pattern Layout with a Context Lookup in 
> the configuration.
> The removal of JNDILookup class file isn't the only solution to curb this 
> issue because the lookup still occurs when the config is loaded. 
> Hence the mitigation steps must include the removal of references to context 
> lookups where the data comes from ThreadContext or from external sources at 
> runtime. (similar to the one provided for CVE-2021-45105 or the same can be 
> included here too)



--
This message was sent by Atlassian Jira
(v8.20.1#820001)