Log4j Version 2.16 Disables The Java Naming and Directory Interface By Default
Rejoice for there may be now a technique to make your programs considerably much less susceptible to the Log4Shell vulnerability within the type of a brand new patch from Apache. The earlier 2.15 patch disabled the JNDI message lookups which can be the guts of this vulnerability but it surely didn’t fully disable JNDI fully and so some software program may nicely be uncovered. The new 2.16 patch disables it fully, thus fully eradicating the important thing although not the lock as JNDI nonetheless stays prone to this hack if ever enabled once more.
As it stands there’s a technique to disable the susceptible half, which may even have destructive results on how your software program runs, there isn’t a patch but which lets you use JNDI message lookups safely. The widespread use implies that there’ll seemingly be packages which can be susceptible for years to come back, because the builders all of a sudden understand that considered one of their packages truly does use Log4j in a small, usually unused element.