[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17465316#comment-17465316
]
Markus Koschany commented on LOG4J2-3230:
-
It appears version 2.3.1 is vulnerable to
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17463290#comment-17463290
]
Gary D. Gregory commented on LOG4J2-3230:
-
[~rgoers] edit "If you use 2.31.," -> "If you use
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17463211#comment-17463211
]
Pawel Smigiel commented on LOG4J2-3230:
---
I found this article describes the problem of recursive
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17463019#comment-17463019
]
Ralph Goers commented on LOG4J2-3230:
-
We have 3 CVEs because there were several distinct problems
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462850#comment-17462850
]
William Tulaba commented on LOG4J2-3230:
[~pmalone] Thank you for asking the question.
I'm
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462840#comment-17462840
]
Peter Malone commented on LOG4J2-3230:
--
I briefly tested versions 2.3, 2.4, 2.5, 2.6 and 2.7, and
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462831#comment-17462831
]
Carter Kozak commented on LOG4J2-3230:
--
There is no way to flip substitutionInVariablesEnabled in
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462827#comment-17462827
]
Jon Bristow commented on LOG4J2-3230:
-
[~marioja] : it looks like the chief difference is the flag
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462814#comment-17462814
]
Mario Jauvin commented on LOG4J2-3230:
--
I read the complete ticket and I would kindly request a
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462794#comment-17462794
]
Wojtek commented on LOG4J2-3230:
[~jbristow] I consider your example to be important because it shows
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462770#comment-17462770
]
Peter Malone commented on LOG4J2-3230:
--
[~jbristow] I'm not using your sample and I have crafted my
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462721#comment-17462721
]
Gary D. Gregory commented on LOG4J2-3230:
-
[~pmalone]
I understand your position as I am
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462717#comment-17462717
]
Jon Bristow commented on LOG4J2-3230:
-
This is a different bug to the JNDI one. It is related to the
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462707#comment-17462707
]
Peter Malone commented on LOG4J2-3230:
--
[~ggregory] Understood, however there are organizations out
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462699#comment-17462699
]
Gary D. Gregory commented on LOG4J2-3230:
-
[~pmalone]
Just update to 2.17.0 where JNDI is
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462682#comment-17462682
]
Peter Malone commented on LOG4J2-3230:
--
I'm trying to determine why removing *JndiLookup.class*
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462592#comment-17462592
]
Wojtek commented on LOG4J2-3230:
[~rpopma] I only copied code from original issue [^sample.tar.gz]
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462583#comment-17462583
]
Remko Popma commented on LOG4J2-3230:
-
[~Aixn] if this string gets printed to the log:
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462567#comment-17462567
]
Wojtek commented on LOG4J2-3230:
I'm afraid that official mitigiation (described in
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462548#comment-17462548
]
Bernd Eckenfels commented on LOG4J2-3230:
-
The lookup of log messages and parameter have been
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462544#comment-17462544
]
Tim Stibbs commented on LOG4J2-3230:
It looks like this issue has been assigned CVE-2021-45105 which
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462041#comment-17462041
]
Matt Sicker commented on LOG4J2-3230:
-
You can try using a fallback value that's self-referential.
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461971#comment-17461971
]
AP commented on LOG4J2-3230:
I concur with [~harmeetbedi] and [~mfriedenhagen] -
I don't see any "high"
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461933#comment-17461933
]
Harmeet Bedi commented on LOG4J2-3230:
--
Question - CVSS Score for this is 7.5 with Attack
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461915#comment-17461915
]
Richard Gomez commented on LOG4J2-3230:
---
[~longld] The sample code is using a version of
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461914#comment-17461914
]
Calven commented on LOG4J2-3230:
[~jbristow] Hi. The official website shows the vulnerability in this
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461912#comment-17461912
]
LY DUC LONG commented on LOG4J2-3230:
-
I just test sample.taz.gz .. Config xml can dos but log.info
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461685#comment-17461685
]
Bernd Eckenfels commented on LOG4J2-3230:
-
Jon, I don’t think I understand the full extend, but
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461613#comment-17461613
]
Jon Bristow commented on LOG4J2-3230:
-
[~mfriedenhagen] While my initial impressions lead me to
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461598#comment-17461598
]
Mirko Friedenhagen commented on LOG4J2-3230:
Many thanks for the clarification, [~jbristow].
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461563#comment-17461563
]
Jon Bristow commented on LOG4J2-3230:
-
[~mfriedenhagen]
The wacky patternLayout for SystemOut was
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461546#comment-17461546
]
Matt Sicker commented on LOG4J2-3230:
-
Discussions and proposals for CVEs should be done via the
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461519#comment-17461519
]
Bernd Eckenfels commented on LOG4J2-3230:
-
Do you plan a CVE for it? Unfortunatelly a number of
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461377#comment-17461377
]
Mirko Friedenhagen commented on LOG4J2-3230:
So, OK with log4j-core 2.8 you get the
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461376#comment-17461376
]
Mirko Friedenhagen commented on LOG4J2-3230:
Sorry folks, I just downloaded the sample and
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461333#comment-17461333
]
Alexander Yastrebov commented on LOG4J2-3230:
-
There is an `enableSubstitutionInVariables`
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461124#comment-17461124
]
Jon Bristow commented on LOG4J2-3230:
-
Using my above code, 2.0 does NOT attempt to expand anything,
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461118#comment-17461118
]
Jon Bristow commented on LOG4J2-3230:
-
Created a sample project that I believe reproduces this
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17459658#comment-17459658
]
Ross Cohen commented on LOG4J2-3230:
[~ggregory] My sincerest apologies. Like most security
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17459583#comment-17459583
]
Gary D. Gregory commented on LOG4J2-3230:
-
Hi [~BossColo]
You set the affect versions to "2.0,
[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17459571#comment-17459571
]
Gary D. Gregory commented on LOG4J2-3230:
-
I've improved on our Log4j string substitutor class
41 matches
Mail list logo