[jira] [Commented] (JAMES-3685) upgrade to log4j 2.16.0

Tue, 14 Dec 2021 22:15:10 -0800 


    [ 
https://issues.apache.org/jira/browse/JAMES-3685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459669#comment-17459669
 ] 

Bernd Bartke commented on JAMES-3685:
-------------------------------------

+1 to upgrade to Log4J 2.16.0
... if not switching logging library. But thats another issue.

[CVE-2021-45046|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046] 
Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern 
vulnerable to a denial of service attack.
Severity: Moderate

[Apache Log4j Security 
Vulnerabilities|https://logging.apache.org/log4j/2.x/security.html]

Description:
{quote}
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was 
incomplete in certain non-default configurations. This could allows attackers 
with control over Thread Context Map (MDC) input data when the logging 
configuration uses a non-default Pattern Layout with either a Context Lookup 
(for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or 
%MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a 
denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to 
localhost by default. Note that previous mitigations involving configuration 
such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT 
mitigate this specific vulnerability.
{quote}

Log4j 2.16.0 fixes this issue by removing support for message lookup patterns 
and disabling JNDI functionality by default. 

> upgrade to log4j 2.16.0
> -----------------------
>
>                 Key: JAMES-3685
>                 URL: https://issues.apache.org/jira/browse/JAMES-3685
>             Project: James Server
>          Issue Type: Improvement
>          Components: James Core
>            Reporter: PJ Fanning
>            Priority: Major
>
> https://mail-archives.apache.org/mod_mbox/www-announce/202112.mbox/%3CCACmp6ko9BevS%2BdKLPRon1sC9Aiz%3Ded7S1qpuqmE8c8U8Wr2u7Q%40mail.gmail.com%3E



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to