[ https://issues.apache.org/jira/browse/JAMES-3685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459669#comment-17459669 ]
Bernd Bartke commented on JAMES-3685: ------------------------------------- +1 to upgrade to Log4J 2.16.0 ... if not switching logging library. But thats another issue. [CVE-2021-45046|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046] Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack. Severity: Moderate [Apache Log4j Security Vulnerabilities|https://logging.apache.org/log4j/2.x/security.html] Description: {quote} It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. {quote} Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. > upgrade to log4j 2.16.0 > ----------------------- > > Key: JAMES-3685 > URL: https://issues.apache.org/jira/browse/JAMES-3685 > Project: James Server > Issue Type: Improvement > Components: James Core > Reporter: PJ Fanning > Priority: Major > > https://mail-archives.apache.org/mod_mbox/www-announce/202112.mbox/%3CCACmp6ko9BevS%2BdKLPRon1sC9Aiz%3Ded7S1qpuqmE8c8U8Wr2u7Q%40mail.gmail.com%3E -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org