Exclude org/apache/logging/log4j/core/lookup/JndiLookup.class entirely

It's the one sure-fire way to prevent further exploits using JNDI through Log4j.
2025-03-31 16:30:30 +08:00 · 2021-12-14 19:37:37 -05:00 · 2021-12-14 19:37:37 -05:00 · fd842c4364
commit fd842c4364
parent 002452e755
1 changed files with 3 additions and 0 deletions
--- a/proxy/build.gradle
+++ b/proxy/build.gradle
@ -153,6 +153,9 @@ shadowJar {
    // Exclude Checker Framework annotations
    exclude 'org/checkerframework/checker/**'

+    // Exclude a Log4j class well-known for its use in recent security exploits.
+    exclude 'org/apache/logging/log4j/core/lookup/JndiLookup.class'
+
    relocate 'org.bstats', 'com.velocitypowered.proxy.bstats'
 }