Right, 8u191 fixes a timeout issue with LDAPS. Gary
On Fri, Dec 10, 2021, 06:10 Wessel van Norel <[email protected]> wrote: > According to this translated post, 121 limits one of the attack vectors. > 191 is needed to mitigate more attack vectors. > > > https://www-cnblogs-com.translate.goog/yyhuni/p/15088134.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US > > Wessel > > > On 10 Dec 2021, at 12:05, Gary Gregory <[email protected]> wrote: > > It also can be avoided by not using an old version of Java as Java 8u121 > (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) > protects against remote code execution by defaulting > "com.sun.jndi.rmi.object.trustURLCodebase" and > "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false". > > Gary > > On Fri, Dec 10, 2021, 04:36 Ceki Gülcü <[email protected]> wrote: > >> >> Hello all, >> >> You might have heard of a Remote code execution (RCE) vulnerability in >> log4j 2.x, that allows an attacker to execute arbitrary code by >> controlling the contents of a single logged message. While >> vulnerabilities are reported now and then, this vulnerability is totally >> unheard of in its severity. >> >> As for logback, while logback claims to be the successor to log4j 1.x, >> logback is unrelated to log4j 2.x. It does not share code nor >> vulnerabilities with log4j 2.x. More specifically, logback does not >> suffer from aforementioned said RCE vulnerability in any shape or form. >> >> Unfortunately, the vulnerability exists under SLF4J API when log4j 2.x >> is used as the back-end implementation. Given the severity of this >> issue, we encourage you to consider logback as the preferred back-end >> for SLF4J API. >> >> Also note that logback performs significantly better than log4 2.x. >> >> Please see the benchmark results at: >> >> http://logback.qos.ch/performance.html >> >> Better yet, run the benchmark yourself. >> >> https://github.com/ceki/logback-perf >> >> In our opinion, logging libraries need to be reliable first and foremost >> with new features added only with extreme care. >> >> Best regards, >> >> Further references to the RCE vulnerability: >> >> https://www.lunasec.io/docs/blog/log4j-zero-day/ >> https://twitter.com/P0rZ9/status/1468949890571337731 >> https://github.com/apache/logging-log4j2/pull/608 >> >> -- >> Ceki Gülcü >> >> Please contact [email protected] for support related to SLF4J or logback >> projects. >> _______________________________________________ >> slf4j-dev mailing list >> [email protected] >> http://mailman.qos.ch/mailman/listinfo/slf4j-dev > > _______________________________________________ > slf4j-dev mailing list > [email protected] > http://mailman.qos.ch/mailman/listinfo/slf4j-dev > > > _______________________________________________ > slf4j-dev mailing list > [email protected] > http://mailman.qos.ch/mailman/listinfo/slf4j-dev
_______________________________________________ slf4j-dev mailing list [email protected] http://mailman.qos.ch/mailman/listinfo/slf4j-dev
