Hello Grzegorz, Thanks a lot for the super quick reaction.
I was rather confused to see that log messages can trigger a JNDI lookup anyway. Do you think there should be hardened something here? Do you know if that is triggered by malicious log config or by malicious log messages and does it only affect systems where the JMSAppender is actually used? Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Grzegorz Grzybek <gr.grzy...@gmail.com> Gesendet: Friday, December 10, 2021 12:20:02 PM An: ops4j-announcem...@googlegroups.com <ops4j-announcem...@googlegroups.com>; Karaf Dev <dev@karaf.apache.org>; d...@felix.apache.org <d...@felix.apache.org> Betreff: [ANN][CVE-2021-44228] Pax Logging 2.0.11 and 1.11.10 released Hello Pax Logging 2.0.11 and 1.11.10 have been released with CVE-2021-44228 fix. *Log4j2 has been updated to version 2.15.0.* The changelog is available at GitHub: https://github.com/ops4j/org.ops4j.pax.logging/milestone/72?closed=1 kind regards Grzegorz Grzybek
