Log4j mitigation

• Previous message (by thread): Log4j mitigation
• Next message (by thread): Log4j mitigation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The log4j people have updated their security advisory to say that these 
two mitigation measures are not sufficient to protect against the recent 
vulnerability:

> 2. start java with "-D log4j2.formatMsgNoLookups=true" (v2.10+ only)
> 3. start java with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" environment variable (v2.10+ only)

The current recommended fixes are:

1. upgrade to 2.16.0 (not 2.15.0), or
2. remove the JndiLookup.class file from log4j-core-*.jar

More details on: https://logging.apache.org/log4j/2.x/security.html

Nick

• Previous message (by thread): Log4j mitigation
• Next message (by thread): Log4j mitigation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]