[GitHub] [logging-log4j2] garydgregory commented on pull request #608: Restrict LDAP access via JNDI

Tue, 14 Dec 2021 16:51:36 -0800 


garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-994184923


   Hello Jan,
   
   Thank you for asking for clarification, we need to make our message as
   clear as possible.
   
   "If mitigations, such as e.g., "-Dlog4j2.formatMsgNoLookups=true’" are
   insufficient against RCE, is it in fact true that 2.15.0 itself is
   insufficient against RCE?"
   
   Correct, you must use 2.16.0 or 2.12.2 (if an app is stuck on Java 7) for
   full protection.
   
   I am sure we will continue to improve our documenting this issue.
   
   Gary
   
   On Tue, Dec 14, 2021 at 7:44 PM Jan Schaumann ***@***.***>
   wrote:
   
   > The message lookup mitigations aren't sufficient to protect from either
   > the DoS or RCE attacks.
   >
   > If mitigations, such as e.g., "-Dlog4j2.formatMsgNoLookups=true’" are
   > insufficient against RCE, is it in fact true that 2.15.0 itself is
   > insufficient against RCE?
   >
   > The advisory is not quite clear on this and can be read either way
   > ("2.15.0, while vulnerable to DoS, is sufficient against RCE, while
   > mitigations in <2.15.0 are not" or "2.15.0 is vulnerable both to DoS and to
   > RCE"), but since it's my understanding that 2.15.0 is (effectively)
   > functionally equivalent to 2.14.x with "-Dlog4j2.formatMsgNoLookups=true’",
   > it seems to me that 2.15.0 remains vulnerable to RCE.
   >
   > Is this interpretation correct?
   >
   > In either case, can https://logging.apache.org/log4j/2.x/security.html
   > and the CVE be updated to be very explicit about this?
   >
   > —
   > You are receiving this because you were mentioned.
   > Reply to this email directly, view it on GitHub
   > <https://github.com/apache/logging-log4j2/pull/608#issuecomment-994182074>,
   > or unsubscribe
   > 
<https://github.com/notifications/unsubscribe-auth/AAJB6N7QWWDLX62RHKN2P5TUQ7QIDANCNFSM5JA3ZEGA>
   > .
   > Triage notifications on the go with GitHub Mobile for iOS
   > 
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
   > or Android
   > 
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
   >
   >
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to