Log4j mitigation
Nick Hilliard
nick at foobar.org
Tue Dec 14 22:43:22 UTC 2021
The log4j people have updated their security advisory to say that these
two mitigation measures are not sufficient to protect against the recent
vulnerability:
> 2. start java with "-D log4j2.formatMsgNoLookups=true" (v2.10+ only)
> 3. start java with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" environment variable (v2.10+ only)
The current recommended fixes are:
1. upgrade to 2.16.0 (not 2.15.0), or
2. remove the JndiLookup.class file from log4j-core-*.jar
More details on: https://logging.apache.org/log4j/2.x/security.html
Nick
More information about the NANOG
mailing list