> Am 11.12.2021 um 23:54 schrieb Aryeh Friedman <aryeh.fried...@gmail.com>: > > On Sat, Dec 11, 2021 at 5:11 PM Sebastian Hennebrüder <use...@laliluna.de> > wrote: > >> Hi all, >> >> I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java >> 11. Actually the Java path version is not relevant. >> >> It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat >> embedded. >> > > Does this affect pre-2.x log4j's? (I am using tomcat 9.0.35 with log4j > 1.2.17) > > > -- > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
I did not validate this but it requires JNDI lookup, so following https://logging.apache.org/log4j/2.x/security.html <https://logging.apache.org/log4j/2.x/security.html> it is not affected.
