Description (December 2021)
see
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Solution
PicApport itself does not use Log4j. However, libraries are included that use Log4j. To manipulate log output with Log4j from "outside" we did not succeed until now.
Of course we have implemented all solutions suggested by Apache in version 10.3.01:
Starting with PicApport version 10.3.01 (see: Changelog Version 10) Log4j 2.16.0 is delivered.
Additionally PicApport sets implicitly the system property log4j2.formatMsgNoLookups=true at startup if it is not set.- For older PicApport versions the following system property has to be set when starting the PicApport server:
-Dlog4j2.formatMsgNoLookups=true