garydgregory commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-994184923
Hello Jan, Thank you for asking for clarification, we need to make our message as clear as possible. "If mitigations, such as e.g., "-Dlog4j2.formatMsgNoLookups=true’" are insufficient against RCE, is it in fact true that 2.15.0 itself is insufficient against RCE?" Correct, you must use 2.16.0 or 2.12.2 (if an app is stuck on Java 7) for full protection. I am sure we will continue to improve our documenting this issue. Gary On Tue, Dec 14, 2021 at 7:44 PM Jan Schaumann ***@***.***> wrote: > The message lookup mitigations aren't sufficient to protect from either > the DoS or RCE attacks. > > If mitigations, such as e.g., "-Dlog4j2.formatMsgNoLookups=true’" are > insufficient against RCE, is it in fact true that 2.15.0 itself is > insufficient against RCE? > > The advisory is not quite clear on this and can be read either way > ("2.15.0, while vulnerable to DoS, is sufficient against RCE, while > mitigations in <2.15.0 are not" or "2.15.0 is vulnerable both to DoS and to > RCE"), but since it's my understanding that 2.15.0 is (effectively) > functionally equivalent to 2.14.x with "-Dlog4j2.formatMsgNoLookups=true’", > it seems to me that 2.15.0 remains vulnerable to RCE. > > Is this interpretation correct? > > In either case, can https://logging.apache.org/log4j/2.x/security.html > and the CVE be updated to be very explicit about this? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/apache/logging-log4j2/pull/608#issuecomment-994182074>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAJB6N7QWWDLX62RHKN2P5TUQ7QIDANCNFSM5JA3ZEGA> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. > > -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org