Disable pattern lookups for log4j #3739
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
May you post a reference for the |
|
This is where that behavior and |
|
It seems that That would make this PR obsolete. I'll still leave it open in case you can't directly update to the newest version. |
|
Given 2413fa2 updates log4j to a version that is unaffected, I'll be closing this. |
|
Ok, thanks for your quick work on this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
While this PR does not fix the RCE outlined in #3736, it disables pattern lookups for logging with log4j, making the vulnerability inaccessible (outside of actually changing the log4j config itself).
Additionally, when the next log4j release (2.15.0) becomes available, the dependency should be updated to that, since that release heavily restricts the possible LDAP connections. The changes in this PR are however still relevant, as pattern lookups should still be disabled for messages containing unknown text from outside the software.