Recently, the log4j issue got a lot of attention. I run a chatbot web app that is not based on the JAVA stack. However, there is a backend component that analyzes the chatbot user input which is based on JAVA. I wonder to mitigate the log4j issue, whether scanning the text input as a pre-processing in the backend and removing all the references of ${jndi: is a solution to mitigate the security issue?
Asked
Active
Viewed 47 times
1
Anders
- 64,406
- 24
- 178
- 215
Iching Chang
- 111
- 2
-
Isn't this question just a more specific case of [Can one protect from the Log4j exp by sanitizing the parameters](/q/257921/129883)? – Fire Quacker Dec 23 '21 at 13:50
-
There are too much ways the attack string can look like and the simple string match will only match the simple ones. – Steffen Ullrich Dec 23 '21 at 14:40