On 13/12/2021 09:21, David Weisgerber wrote:
Hi,
as far as I read through the details, it is a runtime option of the JRE. So, it
does not need any recompilation.
However, some websites pointed out that if you are using Tomcat you could
bypass the JRE protection.
Correct, it is the runtime version of the JRE that matters.
It is also correct that using the latest JDK is *not* sufficient to
protect against this issue.
Depending on what classes are on the class path, it may be possible to
trigger an LDAP call to a malicious LDAP server that, with a specially
crafted response, can trigger code execution. Tomcat includes at least
one such collection of classes by default so you should *not* rely on
just updating the JRE.
You need to update log4j2 to a version that disables JNDI lookups by
default or ensure you are using a sufficiently recent version of log4j2
that has the option to disable JNDI lookups and ensure that you have
configured it so JNDI lookups are disabled.
It is pretty much a certainty that there will be other combinations of
libraries that this exploit can leverage so, whether you are running on
Tomcat or not, my recommendation would be to ensure that you address
this issue with the log4j2 update or configuration.
Mark
Best regards,
David
From: Scott,Tim <tim.sc...@oclc.org>
Sent: Monday, 13 December 2021 09:57
To: users@tomcat.apache.org
Subject: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java
version
Hi all,
Suspecting that someone here knows the answer immediately, I thought I’d ask.
If you do not know the answer, please don’t spend any time investigating: I’ll
do that later today and update everyone whether or not I find an answer.
Our security team advise that “Certain versions of the Java Development Kit
remove the LDAP attack vector”.
My question is: Does this removal occur during compile time or runtime?
i.e.: Do we need to build the .war file with a JDK which removes the LDAP
attack vector, or is it sufficient to deploy the Tomcat with a JDK which does
this?
Thank you,
Tim
--
Tim Scott
OCLC · Senior Software Engineer / Technical Product Manager
CityGate, 8 St. Mary’s Gate, Sheffield S1 4LW, UK
cc: Product Management file
OCLC COVID-19 resources:
oc.lc/covid19-service-info<https://oc.lc/covid19-service-info>
[COVID-19: We’re in this
together]<https://www.oclc.org/en/covid-19.html?utm_campaign=covid-19-support&utm_medium=email&utm_source=libraryservices&utm_content=signature-banner-covid-19-information-resources>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org