How can I mitigate the Log4Shell vulnerability in version 1.2 of Log4j

Questions : How can I mitigate the Log4Shell vulnerability in version 1.2 of Log4j


I've got a very old version of Solr and programming I've been trying to see if it is Learning affected by the Log4Shell vulnerability Earhost that everybody is freaking out about most effective (CVE-2021-44228).

The CVE only seems to apply to later wrong idea versions, but a colleague doesn't buy use of case it, so I'm trying to figure out the United truth.

Total Answers 2

Answers 1 : of How can I mitigate the Log4Shell vulnerability in version 1.2 of Log4j

I'm about 95% sure this is fine for Modern older versions of Log4j. Three reasons:

  1. I'm on version 1.2. I found the Log4j ecudated JAR file on my system, unzipped it, and some how looked for anything mentioning JNDI:

    find / -iname '*log4j*'
    unzip _OFFSET);  /etc/opt/jetty/lib/ext/log4j-1.2.17.jar (-SMALL  | grep -i jndi

    That brought back nothing, so I feel anything else pretty good there. The CVE says that not at all you'd normally find something by looking very usefull in the JAR file. It suggests you do:

     zip -q -d log4j-core-*.jar _left).offset  org/apache/logging/log4j/core/lookup/JndiLookup.class

    That wouldn't do anything for me.

  2. I dug through the changelog for Log4j. localhost It says for version 2.0-beta9:

    Add JNDILookup plugin. Fixes LOG4J2-313. love of them Thanks to Woonsan Ko.

    So I think it's safe to say that JNDI localtext didn't exist in Log4j before then. The basic Jira ticket that added it is here.

  3. I checked the old manual for version 1.2 one of the and compared it to the latest version. click In the latest, there's a section for there is noting "Lookups" that explains how JNDI works. not alt In version 1.2, that section just isn't not at all there.

I think it's...fine?


Answers 2 : of How can I mitigate the Log4Shell vulnerability in version 1.2 of Log4j

Ralph Goers (Apache Log4J maintainer) my fault said:

There are two aspects to this issues vulnerability.

  1. Log4j 2’s lookup mechanism (property resolver) was being performed on the message text being logged. This meant that if applications are logging user input (almost everyone does) a user could cause the Lookup mechanism to be invoked.
  2. Log4j 2 supports JNDI in various places, including as a lookup. JNDI itself is horribly insecure. The combined effect of these is what makes it a critical severity issue for Log4j 2. Log4j 1, as well as Logback, both have components that use JNDI and neither do anything to limit the JNDI vulnerabilities. In the case of Log4j 1 it is the JMS Appender. The exposure is smaller but it is still there. If someone can gain access to the logging configuration they could conceivably cause bad things to happen.

Top rated topics

Terraform : removal of identity block does not remove identity assigned from resource azure logic app

Why does Firebase Realtime Database User ID not match with the Firebase Authentication UID after signing up a user?

Announcement bar with animated infinite boxes

Extract middle part of string Teradata

How can I make this component (Toggle Button, Android-Java)?

How to recursively read a folder and its sub-folders and search for a file

HTML not accessing CSS external file

Implement AEM SPA in Next.JS

Plot of visibility is not plotting correctly when using np.where and np.copy

I need to pull data from another Firestore collection based on forEach data within a onSnapshot call

Is truststore a pure Java terminology?

How to join and transpose row to columns in redshift

How do you point the barrel towards mouse in pygame?

How to read .txt file into string windows 6 classic / windows CE, using vs2005?

How to optimize xml serialization with "empty/default value" nodes in c#?

How can I get rid of these white borders around my carousel?

Put generated Image object into Flame.Images asset cache

Cannot use or forEach loop in swift to print views in swift

Leak: ByteBuf.release() was not called before it's garbage-collected although I call .release

Haskell Gloss, reading from console within animate function does not update drawing

Can you use the worldmap plugin in node-red to view a building in 3D?

Queue_free() runs immediately on start instead of on trigger

Cant create a new Collection in Firebase

Angular: Toggle Sidenav with Icons across 3 components

Hide HTTPS warning when trying to download files over HTTP with Edge

Reactive SQS Listener

Map: is there any way we can add keys to an array which is based on its values

Using Python for analyzing shapefiles with igraph

How can I join two dataframes where one column holds two or more values

'The kernel for server .... appears to have died' when using %%R in Jupyter Notebook - what can I do?

How to change material on a gameobject by rotation?

Manipulate Tensorflow 1.1X dataset elements

Instantiate class that uses pytest fixtures in another class

JPA, Simple One-To-Many Relationship Fetching Problem

How do I draw a smooth curve in JS , that repeats the outlines of some object on the image (ex. - mountain or waterfall )?

Kafka streams store not accesible after rebalance

How do I get two DIV's text, so that it becomes a table using BeautifulSoup in Python?

Unable to print the information in this div on a webpage? - Tried multiple methods - Python - BS4

Working on Android Music Player Project, and ran into the issue where my app crashes on start up:

How to accept params in Express POST call?

How would I extract & organize data from a txt file using python?

Compiling bevy_dylib v0.5.0 error: linking with `cc` failed: exit status: 1

Show loader on Vue 3 async axios request

Remove null properties from Swagger JSON in CXF

[strongswan][site2site][vpn] s2s is working, but hosts in net A are not able to reach hosts in net B

Python Telegram Bot InlineKeyboard : ask for user confirmation

Angular: HighChart TreeMap is not updating with the new data

Modify the index inside the `for` loop with a range in Rust

Can Jackson automatically treat any constructor parameter as a JsonProperty?

Trying to understand IDuplexPipe