I just downloaded log4j-core-2.17.0.jar and when I open it, I see "org/apache/logging/log4j/core/lookup/JndiLookup.class" still part of the jar.
On apache security they have mentioned that -
Implement one of the following mitigation techniques:
Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later). Otherwise, in any release other than 2.16.0, you may remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Is it like we have to download the JAR and then remove the jndi entry manually ? I thought in 2.16 and 2.17 log4j it was removed already.
Please clarify
log4j2 2.17 still supports JNDI lookups, so it needs the JndiLookup.class. 2.17 fixes the bugs related to JNDI lookups that allowed code execution (2.15) and Denial of Service (2.16). Deleting the JndiLookup.class from logstash converted a remote execution catastrophe to a class not found exception. It still potentially breaks logstash (DOS) but still a better result.