stating that the presence of tomcat alone would
open up another attack vector through log4j2.
Best regards,
David
-Original Message-
From: Juri Berlanda
Sent: Monday, 13 December 2021 16:03
To: users@tomcat.apache.org
Subject: Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time
> From: Juri Berlanda
> Sent: 13 December 2021 15:03
> Subject: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs
> compile time Java version
> Hi,
> we were affected - we use an AccessLogValve, which logs to Log4j2 and we
> use Log4j as java.util.logging L
-44228 Log4j 2 Vulnerability - Runtime vs compile time
Java version
Hi,
we were affected - we use an AccessLogValve, which logs to Log4j2 and we use
Log4j as java.util.logging LogManager. We already patched, but only on Saturday.
In any case: in a lot of places I saw "recent JRE versions
There have been multiple Patches for RMI and LDAP over time in Java.
The first article states which attack (from the one the researcher analyzed)
was possible in which version.
https://www.veracode.com/blog/research/exploiting-jndi-injections-java
https://github.com/mbechler/marshalsec/
If
Hi,
we were affected - we use an AccessLogValve, which logs to Log4j2 and we
use Log4j as java.util.logging LogManager. We already patched, but only
on Saturday.
In any case: in a lot of places I saw "recent JRE versions have a
mitigation in place", but I can't seem to find which JRE
09:36
To: users@tomcat.apache.org
Subject: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs
compile time Java version
On 13/12/2021 09:21, David Weisgerber wrote:
> Hi,
> as far as I read through the details, it is a runtime option of the JRE. So,
> it does not need any recompila
Tim,
Adding to what others have posted...
On 12/13/21 03:57, Scott,Tim wrote:
Suspecting that someone here knows the answer immediately, I thought I’d
ask.
If you do not know the answer, please don’t spend any time
investigating: I’ll do that later today and update everyone whether or
not
On 13/12/2021 09:21, David Weisgerber wrote:
Hi,
as far as I read through the details, it is a runtime option of the JRE. So, it
does not need any recompilation.
However, some websites pointed out that if you are using Tomcat you could
bypass the JRE protection.
Correct, it is the runtime
Hi,
as far as I read through the details, it is a runtime option of the JRE. So, it
does not need any recompilation.
However, some websites pointed out that if you are using Tomcat you could
bypass the JRE protection.
Best regards,
David
From: Scott,Tim
Sent: Monday, 13 December 2021 09:57