arnarthor88
commented
2 years ago Yes I know but I was just wondering how logpresso is mitigating the vulnerability. It's not removing the jndilookup.class is it ?
Closed arnarthor88 closed 2 years ago
arnarthor88
commented
2 years ago Yes I know but I was just wondering how logpresso is mitigating the vulnerability. It's not removing the jndilookup.class is it ?
xeraph
commented
2 years ago @arnarthor88 I got it. CVE-2021-45105 (Log4j 2.16.0) is DoS vulnerability caused by infinite recursion. It cannot be fixed by removing JndiLookup.class. You should update 2.16.0 version to 2.17.0 version.
jgstew
commented
2 years ago I was wondering if it were possible for the scan utility to help facilitate swapping Log4j 2.x version to (latest) 2.17.0 version as an optional mitigation measure?
It isn't that hard to swap out a file log4j2-core-2.16.0.jar and put it its place the log4j2-core-2.17.0.jar but doing so inside of JAR, WAR, EAR files and similar is quite complicated.
In a lot of ways this would be more experimental than just removing JndiLookup.class
xeraph
commented
2 years ago I think your idea is possible in some simple cases. e.g 2.16 to 2.17. One problem is that I still don't know how to embed resource file properly. I tried it before with graalvm native image manual, but failed.
jgstew
commented
2 years ago The name of this issue could probably be more clear. I just tried to look it up and had trouble.
@arnarthor88 What do you mean..? Log4j 2.16 has also CVE-2021-45105 vulnerability.