Hi all,
thanks a lot to all for the quick replies. Not what I hoped to hear, but
hey - every new detail I learn about this issue turns out to be the
opposite of what I hope to hear.
Cheers,
Juri
On 12/13/21 4:17 PM, David Weisgerber wrote:
Hi,
our software was also affected but luckily not our Tomcat distribution.
I repeat, no JRE has a sufficient mitigation! You need to update log4j2 or set
the environment variables. The problem is that through log4j2 you can misuse
other library functions where the JRE mitigations would not protect you. I must
repeat, there was a website stating that the presence of tomcat alone would
open up another attack vector through log4j2.
Best regards,
David
-----Original Message-----
From: Juri Berlanda <juri.berla...@tuwien.ac.at>
Sent: Monday, 13 December 2021 16:03
To: users@tomcat.apache.org
Subject: Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time
Java version
Hi,
we were affected - we use an AccessLogValve, which logs to Log4j2 and we use
Log4j as java.util.logging LogManager. We already patched, but only on Saturday.
In any case: in a lot of places I saw "recent JRE versions have a mitigation in
place", but I can't seem to find which JRE version introduced which mitigation. Can
anybody here point me to where I can find that information? Googling for this only seems
to bring up everybody's security advisories, but nobody seems to bother to state exact
JRE versions.
Cheers,
Juri
On 12/13/21 2:13 PM, Christopher Schultz wrote:
Tim,
Adding to what others have posted...
On 12/13/21 03:57, Scott,Tim wrote:
Suspecting that someone here knows the answer immediately, I thought
I’d ask.
If you do not know the answer, please don’t spend any time
investigating: I’ll do that later today and update everyone whether
or not I find an answer.
Our security team advise that “Certain versions of the Java
Development Kit remove the LDAP attack vector”.
My question is: Does this removal occur during compile time or runtime?
Runtime. You can even re-enable the vulnerability if you want :)
It's worth repeating what David Weisgerber said in his reply: even if
the runtime JDK/JRE provides a mitigation of sorts, you may still be
vulnerable through other means (aka "JNDI gadgets").
There is also a risk of information leakage which does NOT rely on the
use of LDAP connections.
Your best course of action would be to upgrade log4j if possible, or
use one of the several other mitigations available for recent
versions. If you aren't running a recent version, RUN ONE.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
