You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Danny Brugman (Jira)" <ji...@apache.org> on 2022/01/04 10:05:00 UTC

[jira] [Created] (LOG4J2-3311) Interpolations in config file stop functioning when JndiLookup.class is removed

Danny Brugman created LOG4J2-3311:
-------------------------------------

             Summary: Interpolations in config file stop functioning when JndiLookup.class is removed
                 Key: LOG4J2-3311
                 URL: https://issues.apache.org/jira/browse/LOG4J2-3311
             Project: Log4j 2
          Issue Type: Bug
          Components: Lookups
    Affects Versions: 2.16.0
            Reporter: Danny Brugman


A commonly used mitigation for CVE-2021-44228 for systems that cannot be updated (yet) is to remove the JndiLookup.class from the log4j-core jar. This should not have any adverse effects besides disabling JNDI lookups altogether.

However, with version 2.16.0, interpolations/lookups in config files no longer work when the JndiLookup.class is removed. Although the latest log4j releases should completely fix the 'log4shell' issue, there are many users who don't feel comfortable, and who will still remove the JndiLookup.class 'just to be sure'. 

The consequence is that log files might get written to unexpected directories, using unexpected file names, etc. which might break log aggregation, which is a security concern in itself.

I think all fixes for the recent log4j security problems should be 'backward compatible' with earlier suggested fixes and workarounds.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)