nanog mailing list archives

Re: Log4j mitigation

From: Nick Hilliard <nick () foobar org>
Date: Tue, 14 Dec 2021 22:43:22 +0000

The log4j people have updated their security advisory to say that thesetwo mitigation measures are not sufficient to protect against the recentvulnerability:

2. start java with "-D log4j2.formatMsgNoLookups=true" (v2.10+ only)
3. start java with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" environment variable (v2.10+ only)


The current recommended fixes are:

1. upgrade to 2.16.0 (not 2.15.0), or
2. remove the JndiLookup.class file from log4j-core-*.jar

More details on: https://logging.apache.org/log4j/2.x/security.html

Nick

Current thread:

RE: Log4j mitigation, (continued)
- - - RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
    - Re: Log4j mitigation A Crisan (Dec 13)
    - Re: Log4j mitigation Mike Hammett (Dec 13)
    - Re: Log4j mitigation Karl Auer (Dec 13)
    - Re: Log4j mitigation Andy Ringsmuth (Dec 13)
  - Re: Log4j mitigation Owen DeLong via NANOG (Dec 13)
    - Re: Log4j mitigation Doug McIntyre (Dec 14)
    - Re: Log4j mitigation Tyler Conrad (Dec 14)
    - Re: Log4j mitigation Owen DeLong via NANOG (Dec 14)
    - Re: Log4j mitigation Owen DeLong via NANOG (Dec 14)
  - Re: Log4j mitigation Nick Hilliard (Dec 14)
    - Re: Log4j mitigation Owen DeLong via NANOG (Dec 15)
- Re: Log4j mitigation Stefan Bethke (Dec 11)