Hi, as far as I read through the details, it is a runtime option of the JRE. So, it does not need any recompilation. However, some websites pointed out that if you are using Tomcat you could bypass the JRE protection.
Best regards, David From: Scott,Tim <tim.sc...@oclc.org> Sent: Monday, 13 December 2021 09:57 To: users@tomcat.apache.org Subject: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version Hi all, Suspecting that someone here knows the answer immediately, I thought I’d ask. If you do not know the answer, please don’t spend any time investigating: I’ll do that later today and update everyone whether or not I find an answer. Our security team advise that “Certain versions of the Java Development Kit remove the LDAP attack vector”. My question is: Does this removal occur during compile time or runtime? i.e.: Do we need to build the .war file with a JDK which removes the LDAP attack vector, or is it sufficient to deploy the Tomcat with a JDK which does this? Thank you, Tim -- Tim Scott OCLC · Senior Software Engineer / Technical Product Manager CityGate, 8 St. Mary’s Gate, Sheffield S1 4LW, UK cc: Product Management file OCLC COVID-19 resources: oc.lc/covid19-service-info<https://oc.lc/covid19-service-info> [COVID-19: We’re in this together]<https://www.oclc.org/en/covid-19.html?utm_campaign=covid-19-support&utm_medium=email&utm_source=libraryservices&utm_content=signature-banner-covid-19-information-resources>