[slf4j-user] Slf4j shields from Log4shell via log4j2.formatMsgNoLookups=true
Matt Sicker
boards at gmail.com
Mon Dec 27 20:43:34 CET 2021
Good to note that this only covers the common use case. That property didn’t end up protecting some advanced use cases that were patched in later releases of log4j-core (CVE-2021-45046 to be specific). It’s a fairly important flag to set in older versions, though, as it’s a fairly broken “feature” as it is regardless of the RCE aspect. Just note that it’s not sufficient to protect against configurations that use lookups to insert user-provided data.
--
Matt Sicker
> On Dec 27, 2021, at 07:26, Ceki Gülcü <ceki at qos.ch> wrote:
>
> Hi David,
>
> Thank you for your sharing this information.
> --
> Ceki Gülcü
>
> Please contact suppport(at)qos.ch for donations, sponsorship or support contracts related to SLF4J or logback projects.
>
> On 22/12/2021 22:24, David Smiley wrote:
>> Hello Slf4j community,
>> I'd like to share a happy discovery about the well-known "Log4shell" vulnerability on Log4j2. Apps that use Slf4j with Log4j2 backing (and which don't otherwise call Log4j2 directly) can be mitigated by log4j2.formatMsgNoLookups=true
>> https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz <https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz>
>> As I write this (with Ralph having yet to respond to my follow-up), it's not really some final determination but it's highly encouraging.
>> ~ David Smiley
>> Apache Lucene/Solr Search Developer
>> http://www.linkedin.com/in/davidwsmiley <http://www.linkedin.com/in/davidwsmiley>
> _______________________________________________
> slf4j-user mailing list
> slf4j-user at qos.ch
> http://mailman.qos.ch/mailman/listinfo/slf4j-user
More information about the slf4j-user
mailing list