[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458341#comment-17458341
]
Remko Popma commented on LOG4J2-3214:
-------------------------------------
[~AlexanderYastrebov] thank you for the feedback!
{quote}
> For releases >=2.0-beta9 and <2.7, remove theĀ {{JndiLookup}}
I think the version range should include all versions, i.e. right boundary
should be the latest affected version. If users go for patching the library
they might want to patch all the versions instead of applying different fixes
for different versions
{quote}
The reason we single out this version range 2.0-beta9 to <2.7 is because for
this version range, modifying the log4j-core JAR is the *only* mitigation
mechanism available. I will update the text to emphasize this.
[~vy] It looks like with even only 3 people we already have very different
ideas of what the "preferred" mitigation mechanism is. This likely differs a
lot per environment. I propose we do not attempt to create a hierarchy of
preference, and just make it a simple bullet point list instead, where any of
the options is a valid mechanism.
One argument for ordering the mitigation mechanisms as below is that this is
the conventional order for any customization, but I am open to switching 2 and
3...
* latest version (no config needed)
* config
* system prop/environment var
* modify the JAR
I will change the wording to reflect the above.
> update security page text for CVE-2021-44228
> --------------------------------------------
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
> Affects Versions: 2.15.0
> Reporter: Remko Popma
> Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
> ----
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation
> techniques, ordered from the most recommended approach to the least.
> # Upgrade to a version >=2.15.0 or later
> # For releases >=2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> # For releases >=2.7 and <=2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{}}}} instead of just {{%m}}
> ** use {{{}%msg{nolookups{}}}} instead of just {{%msg}}
> ** use {{{}%message{nolookups{}}}} instead of just {{%message}}
> # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from
> the classpath: {{zip \-q \-d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
