[
https://issues.apache.org/jira/browse/LOG4J2-3320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17469676#comment-17469676
]
Ralph Goers commented on LOG4J2-3320:
-------------------------------------
All of our recommendations are listed at
[https://logging.apache.org/log4j/2.x/security.html.] SMTPAppender is not
impacted by any of these CVEs. Removing JndiManager, JmsAppender, JdbcAppender,
& JndiContextSelector may, or may not, work depending on the release of Log4j.
Generally, if the application starts without getting a NoClassDefFoundError you
should be OK. However, JndiLookup was the critical component to remove as there
were various attack vectors to get to it. The other classes pretty much all
have to be configured in the Log4j configuration for there to be an issue.
> log4j vulnerability / Mitigations
> ---------------------------------
>
> Key: LOG4J2-3320
> URL: https://issues.apache.org/jira/browse/LOG4J2-3320
> Project: Log4j 2
> Issue Type: Bug
> Reporter: encryptomator
> Priority: Major
>
> Hi,
> I have read that besides the JndiLookup classes, there are others that need
> to be removed.
> JndiManager, JMSAppender, SMTPAppender.
> Does anyone here know more about this?
> https://fossa.com/blog/quickly-find-remediate-log4j-vulnerabilities-log4shell/
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
