Tim,
Adding to what others have posted...
On 12/13/21 03:57, Scott,Tim wrote:
Suspecting that someone here knows the answer immediately, I thought I’d
ask.
If you do not know the answer, please don’t spend any time
investigating: I’ll do that later today and update everyone whether or
not I find an answer.
Our security team advise that “Certain versions of the Java Development
Kit remove the LDAP attack vector”.
My question is: Does this removal occur during compile time or runtime?
Runtime. You can even re-enable the vulnerability if you want :)
It's worth repeating what David Weisgerber said in his reply: even if
the runtime JDK/JRE provides a mitigation of sorts, you may still be
vulnerable through other means (aka "JNDI gadgets").
There is also a risk of information leakage which does NOT rely on the
use of LDAP connections.
Your best course of action would be to upgrade log4j if possible, or use
one of the several other mitigations available for recent versions. If
you aren't running a recent version, RUN ONE.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
