Hi everyone.
I was checking the operation of 2.16.0.
There, I found a case where no logs were output when I specified lookups
for ThreadContext.
Here is the code I tested.
[log4j2.xml]
[Java]
import org.apache.log4j.LogManager;
import
JNDI supports DNS as one of its protocols, but I've never confirmed
that you can load anything malicious through it. I've assumed it's
possible, though. I don't know if whitelisting DNS servers is
sufficient due to recursive DNS resolution in the protocol itself.
On Tue, Dec 14, 2021 at 2:35 PM
The Apache Log4j 2 team is pleased to announce the Log4j 2.12.2 release!
Apache Log4j is a well known framework for logging application
behavior. Log4j 2 is an upgrade to Log4j that provides significant
improvements over its predecessor, Log4j 1.x, and provides many other
modern features such as
Dear log4j experts,
It's sad that this nice project gets so much negative attention because of the
current security issue.
I have a question to analyse the impact for me:
I've been using Log4j2 in a web application run in Tomcat 9.0 (always latest
version).
On my Linux machine, this Tomcat