[
https://issues.apache.org/jira/browse/LOG4J2-3262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17466317#comment-17466317
]
Sivakumar Sivaprahasam commented on LOG4J2-3262:
------------------------------------------------
Hello [~vy], thanks for the note. I checked [the security
page|https://logging.apache.org/log4j/2.x/security.html] now and noticed that
the mitigation for CVE-45046 under 2.x version still requires update.
As you mentioned I will perhaps create a PR for the same and have this ticket
closed.
Thanks
> Log4j 2.x mitigations for CVE-45046 is insufficient
> ---------------------------------------------------
>
> Key: LOG4J2-3262
> URL: https://issues.apache.org/jira/browse/LOG4J2-3262
> Project: Log4j 2
> Issue Type: Bug
> Components: Documentation
> Reporter: Sivakumar Sivaprahasam
> Priority: Major
> Labels: security
>
> The mitigation steps provided for CVE-2021-45046 for those who cannot upgrade
> to 2.16, seems insufficient. The current description for CVE-2021-45046 says
> it includes attacks using non-default Pattern Layout with a Context Lookup in
> the configuration.
> The removal of JNDILookup class file isn't the only solution to curb this
> issue because the lookup still occurs when the config is loaded.
> Hence the mitigation steps must include the removal of references to context
> lookups where the data comes from ThreadContext or from external sources at
> runtime. (similar to the one provided for CVE-2021-45105 or the same can be
> included here too)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
