HI Mark, Thank you. That clarifies something I was not quite getting.
Surely setting a system property “log4j2.formatMsgNoLookups” does not require a particular JRE version? And no, it doesn’t. Yes – we’d need to upgrade log4j2 and/or add that parameter. Whilst the JRE version might deliver some protection, it’s not everything. Thanks, Tim -- Tim Scott OCLC · Senior Software Engineer / Technical Product Manager cc: Product Management file OCLC COVID-19 resources: oc.lc/covid19-service-info<https://oc.lc/covid19-service-info> From: Mark Thomas <ma...@apache.org> Sent: 13 December 2021 09:36 To: users@tomcat.apache.org Subject: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version On 13/12/2021 09:21, David Weisgerber wrote: > Hi, > as far as I read through the details, it is a runtime option of the JRE. So, > it does not need any recompilation. > However, some websites pointed out that if you are using Tomcat you could > bypass the JRE protection. Correct, it is the runtime version of the JRE that matters. It is also correct that using the latest JDK is *not* sufficient to protect against this issue. Depending on what classes are on the class path, it may be possible to trigger an LDAP call to a malicious LDAP server that, with a specially crafted response, can trigger code execution. Tomcat includes at least one such collection of classes by default so you should *not* rely on just updating the JRE. You need to update log4j2 to a version that disables JNDI lookups by default or ensure you are using a sufficiently recent version of log4j2 that has the option to disable JNDI lookups and ensure that you have configured it so JNDI lookups are disabled. It is pretty much a certainty that there will be other combinations of libraries that this exploit can leverage so, whether you are running on Tomcat or not, my recommendation would be to ensure that you address this issue with the log4j2 update or configuration. Mark > > Best regards, > David > > From: Scott,Tim <tim.sc...@oclc.org<mailto:tim.sc...@oclc.org>> > Sent: Monday, 13 December 2021 09:57 > To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> > Subject: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java > version > > Hi all, > > Suspecting that someone here knows the answer immediately, I thought I’d ask. > > If you do not know the answer, please don’t spend any time investigating: > I’ll do that later today and update everyone whether or not I find an answer. > > Our security team advise that “Certain versions of the Java Development Kit > remove the LDAP attack vector”. > > My question is: Does this removal occur during compile time or runtime? > > i.e.: Do we need to build the .war file with a JDK which removes the LDAP > attack vector, or is it sufficient to deploy the Tomcat with a JDK which does > this? > > Thank you, > Tim > > -- > > Tim Scott > > OCLC · Senior Software Engineer / Technical Product Manager > > CityGate, 8 St. Mary’s Gate, Sheffield S1 4LW, UK > > > cc: Product Management file > > > OCLC COVID-19 resources: > oc.lc/covid19-service-info<http://oc.lc/covid19-service-info><https://oc.lc/covid19-service-info<https://oc.lc/covid19-service-info>> > [COVID-19: We’re in this > together]<https://www.oclc.org/en/covid-19.html?utm_campaign=covid-19-support&utm_medium=email&utm_source=libraryservices&utm_content=signature-banner-covid-19-information-resources<https://www.oclc.org/en/covid-19.html?utm_campaign=covid-19-support&utm_medium=email&utm_source=libraryservices&utm_content=signature-banner-covid-19-information-resources>> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>