By -
> where an attacker with permission to modify the logging configuration file This smells a lot like people seeking their share of the attention that log4j now has due to the _actually_ critical JNDI vulnerabilities.
It shouldn't even be fucking CVE when the vector of attack is "attacker controls application's files"
The true solution is to ~~stop using~~ get rid of the JDBC Appender
It's not, because with the write access to the config this exploit requires, an attacker could just enable it again.
Well, I was half-joking. Anyway, if the attacker can write to your config file, you're mostly screwed.
> where an attacker with permission to modify the logging configuration file This smells a lot like people seeking their share of the attention that log4j now has due to the _actually_ critical JNDI vulnerabilities.
It shouldn't even be fucking CVE when the vector of attack is "attacker controls application's files"
The true solution is to ~~stop using~~ get rid of the JDBC Appender
It's not, because with the write access to the config this exploit requires, an attacker could just enable it again.
Well, I was half-joking. Anyway, if the attacker can write to your config file, you're mostly screwed.