logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
Apache License 2.0
852 stars 173 forks source link

JndiManager #182

Open arykov opened 2 years ago

arykov commented 2 years ago

Having looked at a number of scanning and remediation utilities some appear to remove JndiLookup, some JndiManager. It seems that JndiManager is the one that does the actual JNDI lookup in more recent versions, but there are paths that lead to its execution, other than from JndiLookup. JmsManager and JndiContextSelector are other examples. Is it worth whacking both JndiLookup and JndiManager? I suppose it will break JMS logging.

xeraph commented 2 years ago

Which version do you mean, Log4j2 or Log4j 1?

arykov commented 2 years ago

Log4j2. References