Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. A separate CVE (CVE-2021-4104) has been filed for this vulnerability.
Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. But I was concerned about comments about indirect exploits in the Carnegie Mellon analysis about lib4j 1.X: VU#930724 - Apache Log4j allows insecure JNDI lookups but -we may be OK: VU#930724 - Apache Log4j allows insecure JNDI lookupsĮssentially: Log4j 1.x does not have Lookups so the risk is lower. I was wondering about that -since I couldn’t tell from the jar files in the _1.9.2 v201404171502/lib subdirectory.
0 kommentar(er)
