Hi, our software was also affected but luckily not our Tomcat distribution. I repeat, no JRE has a sufficient mitigation! You need to update log4j2 or set the environment variables. The problem is that through log4j2 you can misuse other library functions where the JRE mitigations would not protect you. I must repeat, there was a website stating that the presence of tomcat alone would open up another attack vector through log4j2.
Best regards, David -----Original Message----- From: Juri Berlanda <juri.berla...@tuwien.ac.at> Sent: Monday, 13 December 2021 16:03 To: users@tomcat.apache.org Subject: Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version Hi, we were affected - we use an AccessLogValve, which logs to Log4j2 and we use Log4j as java.util.logging LogManager. We already patched, but only on Saturday. In any case: in a lot of places I saw "recent JRE versions have a mitigation in place", but I can't seem to find which JRE version introduced which mitigation. Can anybody here point me to where I can find that information? Googling for this only seems to bring up everybody's security advisories, but nobody seems to bother to state exact JRE versions. Cheers, Juri On 12/13/21 2:13 PM, Christopher Schultz wrote: > Tim, > > Adding to what others have posted... > > On 12/13/21 03:57, Scott,Tim wrote: >> Suspecting that someone here knows the answer immediately, I thought >> I’d ask. >> >> If you do not know the answer, please don’t spend any time >> investigating: I’ll do that later today and update everyone whether >> or not I find an answer. >> >> Our security team advise that “Certain versions of the Java >> Development Kit remove the LDAP attack vector”. >> >> My question is: Does this removal occur during compile time or runtime? > > Runtime. You can even re-enable the vulnerability if you want :) > > It's worth repeating what David Weisgerber said in his reply: even if > the runtime JDK/JRE provides a mitigation of sorts, you may still be > vulnerable through other means (aka "JNDI gadgets"). > > There is also a risk of information leakage which does NOT rely on the > use of LDAP connections. > > Your best course of action would be to upgrade log4j if possible, or > use one of the several other mitigations available for recent > versions. If you aren't running a recent version, RUN ONE. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
