You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@logging.apache.org by "Gary Gregory (JIRA)" <ji...@apache.org> on 2017/06/27 06:12:00 UTC

[jira] [Commented] (LOG4J2-1958) Deprecate SerializedLayout and remove it as default

    [ https://issues.apache.org/jira/browse/LOG4J2-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16064336#comment-16064336 ] 

Gary Gregory commented on LOG4J2-1958:
--------------------------------------

Should we log a status logger warning if a {{SerializedLayout}} is used?

> Deprecate SerializedLayout and remove it as default
> ---------------------------------------------------
>
>                 Key: LOG4J2-1958
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1958
>             Project: Log4j 2
>          Issue Type: Task
>          Components: Appenders, Layouts
>    Affects Versions: 2.8.2
>            Reporter: Mikael Ståldal
>            Assignee: Mikael Ståldal
>             Fix For: 2.9
>
>
> Due to inherent security weakness of Java object serialization, see CVE-2017-5645, we should deprecate SerializedLayout and discourage its use. We should also remove it as default from the appenders which currently has it:
> * SocketAppender
> * JmsAppender
> For the time being, we can recommend using JsonLayout as a replacement.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)