|
|
|
|
|
|
by toyg
1653 days ago
|
|
|
Log4j2 uses some JVM features to resolve some addresses, and these features can end up blindly loading external classes in the affected JVMs. Note that non-affected JVMs are still vulnerable to other issues triggered by that resolution process, just not as bad as loading untrusted remote objects. So you should upgrade log4j2 even if you use a non-vulnerable JVM. |
|
|