From c4cfe420a61fbcafb7b619d9315ba5f78e17c53c Mon Sep 17 00:00:00 2001
From: idk <hankhill19580@gmail.com>
Date: Fri, 10 Dec 2021 21:01:15 -0500
Subject: [PATCH] disable any chance of JNDI lookups in log4j.properties file
 by setting %m{nolookups}. I don't think we're actually vulnerable to
 CVE-2021-44228 if I'm understanding correctly, by default it doesn't seem
 like we actually use log4j for much of anything and we don't do much logging
 of arbitrarily crafted remote inputs, but also it seems like this JNDI
 lookups thing is way more trouble than it could possibly be worth to us.
 Maybe it's a good idea to make sure it's turned off by default.

---
 apps/jetty/resources/log4j.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/jetty/resources/log4j.properties b/apps/jetty/resources/log4j.properties
index 8899c004be..b9dfb6707e 100644
--- a/apps/jetty/resources/log4j.properties
+++ b/apps/jetty/resources/log4j.properties
@@ -5,5 +5,5 @@ log4j.rootLogger=INFO, stdout
 
 log4j.appender.stdout=org.apache.log4j.ConsoleAppender
 log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
-log4j.appender.stdout.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n
+log4j.appender.stdout.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m{nolookups}%n
 
-- 
GitLab