[rst]

The threat here is that "an attacker with permission to modify the logging configuration file can construct a malicious configuration". If the attacker can modify server config files, this particular log4j fixup is likely to still leave you with nasty problems.

[jfoutz]

yes that would be true. Unfortunately log4j doesn't get configuration exclusively from config files on the server where it's running. this doesn't look like no access to full RCE like the first few rounds. But this might let an attacker turn a small exploit into a big exploit.

[btown]

I suppose that there could be companies that load logging configs from a shared filesystem share that the non-security-minded now-retired ex-IT director threw up on an insecure server somewhere "so I can debug the outages better." Still not as bad as the log content being an attack vector!

[hinkley]

> ex-IT director

If only that were true. At least we could bond over what an idiot 'that guy' was.

But he probably is friends with the CEO so we can't say shit.

[btown]

old IT directors never die, they simply fade away, much like the sanity of everyone left