You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Volkan Yazici (Jira)" <ji...@apache.org> on 2021/12/13 20:45:00 UTC

[jira] [Commented] (LOG4J2-3216) CVE-2021-44228 applicability to Json Layout log messages

    [ https://issues.apache.org/jira/browse/LOG4J2-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458704#comment-17458704 ] 

Volkan Yazici commented on LOG4J2-3216:
---------------------------------------

# You are strongly advised to migrate to [JsonTemplateLayout|https://logging.apache.org/log4j/2.x/manual/json-template-layout.html], which is a successor of {{{}JsonLayout{}}}.
 # No, {{JsonLayout}} is not affected by CVE-2021-44228. {{JsonLayout}} only performs lookup interpolation for additional-fields provided in the configuration.

> CVE-2021-44228 applicability to Json Layout log messages
> --------------------------------------------------------
>
>                 Key: LOG4J2-3216
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3216
>             Project: Log4j 2
>          Issue Type: Question
>    Affects Versions: 2.13.3
>         Environment: Linux based Java Containerized services deployed in kubernetes cluster.
>            Reporter: kiranmayi
>            Priority: Major
>
> Hi,
> We are exploring whether CVE-2021-44228 is applicable to JSON layout statements.
> In our analysis, we found that JNDI lookups are not triggered by Log4j for JSON layout and messages printing as below (value is printed as it is, no JNDI lookup is triggered in Log4j):
> “{"thread":"ingress-h2c-nio-2","level":"WARN","loggerName":"x.x.x.x","message":"{*}Vulnerability Header: ${jndi:ldap://127.0.0.1:3089/o=reference}{*}","endOfBatch":false,"loggerFqcn":"org.apache.logging.log4j.spi.AbstractLogger","instant":\{"epochSecond":1639395879,"nanoOfSecond":612537400},"contextMap":\{"ocLogId":"1639395879561_107_localhost"},"threadId":107,"threadPriority":5,"messageTimestamp":"2021-12-13T17:14:39.612+0530","ocLogId":"1639395879561_107_localhost","pod":"${ctx:hostname}","processId":"10912","instanceType":"prod","ingressTxId":"${ctx:ingressTxId}"}”
>  
> Can you please confirm if the CVE is not applicable to JSON Layout messages.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)