[
https://issues.apache.org/jira/browse/LOG4J2-3221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459403#comment-17459403
]
Matt Sicker commented on LOG4J2-3221:
-------------------------------------
2.15.0 only has a DOS issue due to the JNDI LDAP host allow list added in
2.15.0. In prior versions, JNDI URLs are not restricted, so any of the old RCEs
against JNDI are still applicable there, just not as pervasively as the
original issue (i.e., it requires use of a non-default pattern layout that
includes MDC values in the pattern layout).
> JNDI lookups in layout (not message patterns) enabled in Log4j2 < 2.16.0
> ------------------------------------------------------------------------
>
> Key: LOG4J2-3221
> URL: https://issues.apache.org/jira/browse/LOG4J2-3221
> Project: Log4j 2
> Issue Type: Bug
> Reporter: Lucy Menon
> Priority: Major
> Fix For: 2.16.0
>
>
> The mitigation advice for CVE-2021-4428 suggests that for Log4j > 2.10.0 and
> < 2.15.0, the vulnerability can be avoided by setting
> -{{{}Dlog4j2.formatMsgNoLookups=true{}}} or upgrading to 2.15.0. However,
> many users may not be aware that even in this case, lookups used in layouts
> to provide specific pieces of context information will still recursively
> resolve, possibly triggering JNDI lookups. In order to avoid
> attacker-controlled JNDI lookups, users must also either:
> * Ensure that no such lookups resolve to attacker-provided data
> * Ensure that the the JndiLookup class is not loaded
> * Upgrade to log4j2 2.16.0 (untested)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
