Update: Workaround from Oracle to bypass Log4j vulnerability not reliable
According to the latest update from Oracle, the previously communicated workaround to bypass the Log4j vulnerability is NOT working properly. They are still working at high pressure to find a solution to this problem. We are in constant exchange with Oracle and will inform you about any development in our news.
Statement from Oracle:
"A new CVE-2021-45046 was released, affecting org.apache.logging.log4j:log4j-core package, versions prior to 2.16.0.
The new CVE identified:
- The fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations
- The previous workaround, involving the addition of "-Dlog4j2.formatMsgNoLookups=true" JVM parameter, does NOT mitigate this specific vulnerability."
Note: For an overview of possible affected vendors, click here: