You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "jamie fisher (Jira)" <ji...@apache.org> on 2021/12/28 22:07:00 UTC
[jira] [Created] (LOG4J2-3294) Default to having placeholders off in log4j and remove JDNI lookups
jamie fisher created LOG4J2-3294:
------------------------------------
Summary: Default to having placeholders off in log4j and remove JDNI lookups
Key: LOG4J2-3294
URL: https://issues.apache.org/jira/browse/LOG4J2-3294
Project: Log4j 2
Issue Type: Improvement
Components: Appenders
Affects Versions: 2.17.0, 2.16.0, 2.15.0, 2.14.0, 2.13.0
Environment: Java 17
Reporter: jamie fisher
Log4j keeps having RCE bugs and security issues relating to placeholders ${like:this}
Normally when a product has multiple severe security problems we would just use something else, but for many people they cannot change to another less bloated logger.
My proposal is to {*}completely remove JDNI{*}, which leads to arbitrary code execution ({+}why is this in a logging library?{+}). This feature is used by less than 0.001% of log4j users (in my measurements).
My second proposal is to have features such as placeholders +disabled by default+ (it is rare that these are needed under normal circumstances, their parsing is slow and has posed several security issues in the past)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)