vy commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991241208
**For those who are looking for a JRE/JDK version to mitigate the problem**, please don't! CVE-2021-44228 creates a large attack surface depending on the imagination of the attacker and an RCE is just one of them. I would strongly advise you to avoid having a false conclusion by relying on a JVM feature targeting a certain attack vector; there are more vectors. Simply either bump `log4j-core` to 2.15.0 or set `log4j2.formatMsgNoLookups=true` system property. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org