nanog mailing list archives
Re: Log4j mitigation
From: Nick Hilliard <nick () foobar org>
Date: Tue, 14 Dec 2021 22:43:22 +0000
The log4j people have updated their security advisory to say that these two mitigation measures are not sufficient to protect against the recent vulnerability:
2. start java with "-D log4j2.formatMsgNoLookups=true" (v2.10+ only) 3. start java with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" environment variable (v2.10+ only)
The current recommended fixes are: 1. upgrade to 2.16.0 (not 2.15.0), or 2. remove the JndiLookup.class file from log4j-core-*.jar More details on: https://logging.apache.org/log4j/2.x/security.html Nick
Current thread:
- RE: Log4j mitigation, (continued)
- RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
- Re: Log4j mitigation A Crisan (Dec 13)
- Re: Log4j mitigation Mike Hammett (Dec 13)
- Re: Log4j mitigation Karl Auer (Dec 13)
- Re: Log4j mitigation Andy Ringsmuth (Dec 13)
- Re: Log4j mitigation Doug McIntyre (Dec 14)
- Re: Log4j mitigation Tyler Conrad (Dec 14)
- Re: Log4j mitigation Owen DeLong via NANOG (Dec 14)
- Re: Log4j mitigation Owen DeLong via NANOG (Dec 15)