[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458298#comment-17458298
]
Volkan Yazici commented on LOG4J2-3214:
---------------------------------------
My hesitation for configuration changes is due to the fact that there might be
multiple places that need to be changed and it is difficult to determine which
one will be effective at runtime. At work, I have seen people struggling to
figure out whether they use {{PatternLayout}} or not, since the configuration
is provided by a transitive dependency containing multiple XMLs, etc. There I
had the impression that passing a single flag to the process eased the
procedure a lot – later on we verify the fix by validating that the application
reports the set property as expected. Further, people also add this environment
variable at the OS/container level and be done with it, without needing to
check anything else – of course, except the Log4j version where this flag is
supported.
> update security page text for CVE-2021-44228
> --------------------------------------------
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
> Affects Versions: 2.15.0
> Reporter: Remko Popma
> Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
> ----
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation
> techniques, ordered from the most recommended approach to the least.
> # Upgrade to a version >=2.15.0 or later
> # For releases >=2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> # For releases >=2.7 and <=2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{}}}} instead of just {{%m}}
> ** use {{{}%msg{nolookups{}}}} instead of just {{%msg}}
> ** use {{{}%message{nolookups{}}}} instead of just {{%message}}
> # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from
> the classpath: {{zip \-q \-d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
