 |
 | 34 Likes | Search this Thread |
| 12-18-2021, 02:12 PM | #61 |
 Originally posted by Lord Lucan  On-line banking etc is a different and more serious matter, but I guess banks will deal with this as a prority, even if many hobby and interest websites don't - some of which don't get attended to by their admins for years  One thing financial institutions are good at is remaining silent about how often they have been compromised or ripped off during a year. | |
| 12-18-2021, 02:16 PM - 1 Like | #62 |
| Originally posted by clackers One thing financial institutions are good at is remaining silent about how often they have been compromised or ripped off during a year.   | |
| 12-19-2021, 10:29 AM | #63 |
| Originally posted by BigMackCam I've already added LOG4J_FORMAT_MSG_NO_LOOKUPS = true to my environment variables, updated my Java SDK and runtime, and I'm running the latest version of Arduino IDE (although it's still using v2.12 of log4j  ). I'm not sure there's much else I can do at this point... nor, indeed, if the few online services I connect to put me at any real risk...Quote: Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1. The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors. The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar. | |
| 12-19-2021, 10:34 AM | #64 |
| Originally posted by beholder3 Just fyi, the apache guys write this: Seems like the only way to fully mitigate the issue is upgrading the libraries to 2.15... but then, that's still just local protection. None of us can address the server side issues... Only the sysops can do that | |
|
| Bookmarks |
| Tags - Make this thread easier to find by adding keywords to it! |
| adobe, adobe software, log4j older adobe, photo industry, photography, security, security threat log4j, software, windows |
Post #60 by BigMackCam 
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Audit / critique my laptop hardware / software / security setup, please? | BigMackCam | General Talk | 27 | 05-30-2021 07:47 AM |
| Add a foot or ring to an older SMC Pentax-A 300 mm (older model) | Pentagel | Pentax SLR Lens Discussion | 17 | 01-23-2020 08:59 AM |
| Adobe Photoshop Lightroom 4 Software vs. Adobe Photoshop Lightroom 5 Software Update | ASheffield | Digital Processing, Software, and Printing | 3 | 05-08-2014 05:52 AM |
| Photoshop, Illustrator users must pay for critical security updates | photolady95 | Digital Processing, Software, and Printing | 5 | 05-12-2012 09:21 AM |
