do we have a security problem using the FAF Client?
I have found three log4*.jar files in my FAF installation folder while scanning the whole pc.
Security Issue log4j
Hey @KeuleGrob one of the client dependencies uses log4j however the client itself doesnt not use log4j. Also that dependency has all logging facilities disabled so there is no threat from log4j in the client
Hi Sheika, thanks for your fast reply.
I cannot evaluate the complex security circumstances in this special case.
Is it still possible to use the Log4j version > = 2.16 with the next patch ?
We have to get the dependency to update their dependencies but we are working with them to do so and should be updated next patch
we don't need to update the log4j, we can simply set
log4j2.formatMsgNoLookups = true
and the backdoor is closed.
I sincerely hope you are right. This security issue deletes our chrismas holidays include Weekend.
Where do i set the formatMsgNoLookups Parameter? Is there for example a XML configuration File in the FAF Client Folder?
If that dependency has all logging disabled anyways can you just delete the log4j jars?
and how did it all end here? deleted? turned off? have you come to terms with the current situation?
The dependency was updated to the newest log4j, although the client still never interacts with any of the logging there anyway.