Hi,
we were affected - we use an AccessLogValve, which logs to Log4j2 and we
use Log4j as java.util.logging LogManager. We already patched, but only
on Saturday.
In any case: in a lot of places I saw "recent JRE versions have a
mitigation in place", but I can't seem to find which JRE version
introduced which mitigation. Can anybody here point me to where I can
find that information? Googling for this only seems to bring up
everybody's security advisories, but nobody seems to bother to state
exact JRE versions.
Cheers,
Juri
On 12/13/21 2:13 PM, Christopher Schultz wrote:
Tim,
Adding to what others have posted...
On 12/13/21 03:57, Scott,Tim wrote:
Suspecting that someone here knows the answer immediately, I thought
I’d ask.
If you do not know the answer, please don’t spend any time
investigating: I’ll do that later today and update everyone whether
or not I find an answer.
Our security team advise that “Certain versions of the Java
Development Kit remove the LDAP attack vector”.
My question is: Does this removal occur during compile time or runtime?
Runtime. You can even re-enable the vulnerability if you want :)
It's worth repeating what David Weisgerber said in his reply: even if
the runtime JDK/JRE provides a mitigation of sorts, you may still be
vulnerable through other means (aka "JNDI gadgets").
There is also a risk of information leakage which does NOT rely on the
use of LDAP connections.
Your best course of action would be to upgrade log4j if possible, or
use one of the several other mitigations available for recent
versions. If you aren't running a recent version, RUN ONE.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
