Thanks for the heads up Keith. I can see Log4j's documentation has been updated to reflect that: https://logging.apache.org/log4j/2.x/security.html
On Sat, 11 Dec 2021 at 18:37, Keith Bourgoin <[email protected]> wrote: > Hey folks, > > I imagine a lot of people are dealing with log4Shell right now. I wanted > to drop a link to this JIRA comment > <https://issues.apache.org/jira/browse/LOG4J2-3201?focusedCommentId=17456954&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17456954> > that has a pretty clever way to handle it. You can unzip the jar, delete > the class, and it keeps working. It relies on this block > <https://github.com/apache/logging-log4j2/blob/rel/2.0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L75-L83>, > which is a pretty lucky break. > > The whole thing can be run as zip -q -d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class > > We've had good luck patching Storm 1.2.2. Good luck to everyone patching > their systems today! > > Keith. >
