[
https://issues.apache.org/jira/browse/LOG4J2-3262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sivakumar Sivaprahasam closed LOG4J2-3262.
------------------------------------------
> Log4j 2.x mitigations for CVE-45046 is insufficient
> ---------------------------------------------------
>
> Key: LOG4J2-3262
> URL: https://issues.apache.org/jira/browse/LOG4J2-3262
> Project: Log4j 2
> Issue Type: Bug
> Components: Documentation
> Reporter: Sivakumar Sivaprahasam
> Priority: Major
> Labels: security
>
> The mitigation steps provided for CVE-2021-45046 for those who cannot upgrade
> to 2.16, seems insufficient. The current description for CVE-2021-45046 says
> it includes attacks using non-default Pattern Layout with a Context Lookup in
> the configuration.
> The removal of JNDILookup class file isn't the only solution to curb this
> issue because the lookup still occurs when the config is loaded.
> Hence the mitigation steps must include the removal of references to context
> lookups where the data comes from ThreadContext or from external sources at
> runtime. (similar to the one provided for CVE-2021-45105 or the same can be
> included here too)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
