Reposted a post on Twitter
String interpolation in log messages has been removed in Log4j 2.16.0, so one would have to use this pattern explicitly in the Log4j configuration file. In other words, an attacker would need to be able to overwrite the Log4j configuration to exploit this.
(╯°□°）╯︵ ┻━┻ (@joschi83)Fri, 17 Dec 2021 08:29 GMT
This post was filed under reposts.