Good to note that this only covers the common use case. That property didn’t end up protecting some advanced use cases that were patched in later releases of log4j-core (CVE-2021-45046 to be specific). It’s a fairly important flag to set in older versions, though, as it’s a fairly broken “feature” as it is regardless of the RCE aspect. Just note that it’s not sufficient to protect against configurations that use lookups to insert user-provided data. -- Matt Sicker
> On Dec 27, 2021, at 07:26, Ceki Gülcü <c...@qos.ch> wrote: > > Hi David, > > Thank you for your sharing this information. > -- > Ceki Gülcü > > Please contact suppport(at)qos.ch for donations, sponsorship or support > contracts related to SLF4J or logback projects. > > On 22/12/2021 22:24, David Smiley wrote: >> Hello Slf4j community, >> I'd like to share a happy discovery about the well-known "Log4shell" >> vulnerability on Log4j2. Apps that use Slf4j with Log4j2 backing (and which >> don't otherwise call Log4j2 directly) can be mitigated by >> log4j2.formatMsgNoLookups=true >> https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz >> <https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz> >> As I write this (with Ralph having yet to respond to my follow-up), it's not >> really some final determination but it's highly encouraging. >> ~ David Smiley >> Apache Lucene/Solr Search Developer >> http://www.linkedin.com/in/davidwsmiley >> <http://www.linkedin.com/in/davidwsmiley> > _______________________________________________ > slf4j-user mailing list > slf4j-user@qos.ch > http://mailman.qos.ch/mailman/listinfo/slf4j-user _______________________________________________ slf4j-user mailing list slf4j-user@qos.ch http://mailman.qos.ch/mailman/listinfo/slf4j-user
