kavbojka
FLOX Advocatetrying to understand #log4j exploit
for log4j less than 2.0 it's exploitable and there's no mitigation?
for log4j 2.10+ you can set log4j2.formatMsgNoLookups to true to mitigate it and that's the default starting in 2.15 ?
What about less than 2.10?
Sheogorath@FLOX_advocate for older versions you can manually remove the exploited class file.
See the news section on https://logging.apache.org/log4j/2.x/
Further various source claim to be unable to reproduce the exploit on 1.x since the new "it's also vulnerable" broke.
https://mobile.twitter.com/ceki/status/1469482504969097216 (this is one of the original authors of log4j 1.x)