You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Matt Sicker (Jira)" <ji...@apache.org> on 2021/12/29 00:23:00 UTC

[jira] [Commented] (LOG4J2-3294) Default to having placeholders off in log4j and remove JDNI lookups

    [ https://issues.apache.org/jira/browse/LOG4J2-3294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17466267#comment-17466267 ] 

Matt Sicker commented on LOG4J2-3294:
-------------------------------------

JNDI is already disabled by default. The latest 2.17.1 release ensured the other JNDI-related code was controlled through the same JNDI enablement property. In 3.x, JNDI-related functionality is already being moved to its own module for users who might still need it for anything. And placeholders are already disabled for log messages and other sensitive areas; removing that from configuration files entirely would break 99+% of log4j configuration files in existence!

> Default to having placeholders off in log4j and remove JDNI lookups
> -------------------------------------------------------------------
>
>                 Key: LOG4J2-3294
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3294
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Appenders
>    Affects Versions: 2.13.0, 2.14.0, 2.15.0, 2.16.0, 2.17.0
>         Environment: Java 17
>            Reporter: jamie fisher
>            Priority: Critical
>
> Log4j keeps having RCE bugs and security issues relating to placeholders ${like:this}
> Normally when a product has multiple severe security problems we would just use something else, but for many people they cannot change to another less bloated logger.
> My proposal is to {*}completely remove JDNI{*}, which leads to arbitrary code execution ({+}why is this in a logging library?{+}). This feature is used by less than 0.001% of log4j users (in my measurements). 
> My second proposal is to have features such as placeholders +disabled by default+ (it is rare that these are needed under normal circumstances, their parsing is slow and has posed several security issues in the past)



--
This message was sent by Atlassian Jira
(v8.20.1#820001)