> From: Juri Berlanda > Sent: 13 December 2021 15:03 > Subject: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs > compile time Java version
> Hi, > we were affected - we use an AccessLogValve, which logs to Log4j2 and we > use Log4j as java.util.logging LogManager. We already patched, but only > on Saturday. > In any case: in a lot of places I saw "recent JRE versions have a > mitigation in place", but I can't seem to find which JRE version > introduced which mitigation. Can anybody here point me to where I can > find that information? Googling for this only seems to bring up > everybody's security advisories, but nobody seems to bother to state > exact JRE versions. Our security team stated: "Certain versions of the Java Development Kit remove the LDAP attack vector, but others remain. Versions after these JDKs remove the LDAP vector: 6u211 7u201 8u191 11.0.1" No doubt you can review the release notes for, e.g., 8u191/192 for further clues. Notwithstanding Mark's notes earlier that updating your JRE may not resolve everything. > Cheers, > Juri Thanks, Tim