I'd expect the parsing to be mostly a no-op as the lookup no longer
exists. Neutralized versions of the class could return an empty string
which might remove the string, but it would otherwise be left intact
and uninterpreted without the plugin available.
On Thu, Dec 16, 2021 at 7:08 PM Shawn Heis
One of the possible mitigations for the recent vulnerabilities is
removing the JndiLookup.class file from the log4j-core jar.
One thing I am wondering is what happens if that step is taken and
somebody manages to cause an application to send the exploit text to the
log? Down in the bowels of
Please create a Jira issue for this with as much information as you can.
Thanks,
Ralph
> On Dec 16, 2021, at 5:01 PM, Bhavesh Patel
> wrote:
>
> Hi Matt/Anyone, Any solution for this?
> Regards,Bhavesh.
>On Thursday, December 16, 2021, 01:57:23 PM PST, Bhavesh Pat
Hi Matt/Anyone, Any solution for this?
Regards,Bhavesh.
On Thursday, December 16, 2021, 01:57:23 PM PST, Bhavesh Patel
wrote:
HI, As a part of this commit,
https://github.com/apache/logging-log4j2/commit/97db5743a3b10e9017bf70794d6275b21553dd44,
the threa
HI, As a part of this commit,
https://github.com/apache/logging-log4j2/commit/97db5743a3b10e9017bf70794d6275b21553dd44,
the thread leak issue was fixed. But did it introduce a bug? What if the
KafkaAppender is stopped? In the calls hierarchy, the KafkaManager.stop() is
called. This in tu
If you're trying to reuse config files from v1, we have an
experimental feature to support those directly in v2 documented here:
https://logging.apache.org/log4j/2.x/manual/compatibility.html
It's experimental mostly because it doesn't support _every_ possible
v1 feature, but it seems to cover mos
All,
I'm investigating the minimum effort I need to migrate a web application
from log4j 1.x to 2.x and (as you can see from other posts), I'm running
across a few snags. I'm 100% able to get it to work, but I want to
understand why I haven't been able to get it to work more easily.
Coming f
To whom it may concern,
Off-topic top-post: please stop repeating the incorrect claim that this
was a zero-day vulnerability. That term means something specific, and it
does not apply in this case.
-chris
On 12/16/21 11:51, Turritopsis Dohrnii Teo En Ming wrote:
Subject: How do I determine
All,
I have a web application which contains a log4j2.xml file in the WEB-INF
directory. If I provide the full path using
-Dlog4j.configurationFile=[path]/log4j2.xml, then log4j configures as I
expect. Without this parameter, log4j does not find the configuration file.
I have the log2j libra
This brings up an good point: Can we improve our documentation (security
page) with a section "Determining if I am vulnerable"? Maybe something as
simple to start with as a "search for files that start with "log4j-".
On Thu, Dec 16, 2021, 11:52 Turritopsis Dohrnii Teo En Ming <
ceo.teo.en.m...@gma
Subject: How do I determine which hardware device and software has
log4j zero-day security vulnerability?
Good day from Singapore,
I am working for a Systems Integrator (SI) in Singapore. We have
several clients writing in, requesting us to identify log4j zero-day
security vulnerability in their
All,
My understanding is that under many circumstances, migrating from log4j
1.x -> 2.x is nearly as easy as simply upgrading the JAR file (and using
the migration bridge library), but there are some other restrictions as
noted here:
https://logging.apache.org/log4j/2.x/manual/migration.html
12 matches
Mail list logo
