> From: Juri Berlanda
> Sent: 13 December 2021 15:03
> Subject: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs
> compile time Java version
> Hi,
> we were affected - we use an AccessLogValve, which logs to Log4j2 and we
> use Log4j as java.util.logging LogManager. We already patched, but only
> on Saturday.
> In any case: in a lot of places I saw "recent JRE versions have a
> mitigation in place", but I can't seem to find which JRE version
> introduced which mitigation. Can anybody here point me to where I can
> find that information? Googling for this only seems to bring up
> everybody's security advisories, but nobody seems to bother to state
> exact JRE versions.
Our security team stated:
"Certain versions of the Java Development Kit remove the LDAP attack vector,
but others remain. Versions after these JDKs remove the LDAP vector:
6u211
7u201
8u191
11.0.1"
No doubt you can review the release notes for, e.g., 8u191/192 for further
clues.
Notwithstanding Mark's notes earlier that updating your JRE may not resolve
everything.
> Cheers,
> Juri
Thanks,
Tim
