You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "jamie fisher (Jira)" <ji...@apache.org> on 2021/12/28 22:07:00 UTC

[jira] [Created] (LOG4J2-3294) Default to having placeholders off in log4j and remove JDNI lookups

jamie fisher created LOG4J2-3294:
------------------------------------

             Summary: Default to having placeholders off in log4j and remove JDNI lookups
                 Key: LOG4J2-3294
                 URL: https://issues.apache.org/jira/browse/LOG4J2-3294
             Project: Log4j 2
          Issue Type: Improvement
          Components: Appenders
    Affects Versions: 2.17.0, 2.16.0, 2.15.0, 2.14.0, 2.13.0
         Environment: Java 17
            Reporter: jamie fisher


Log4j keeps having RCE bugs and security issues relating to placeholders ${like:this}
Normally when a product has multiple severe security problems we would just use something else, but for many people they cannot change to another less bloated logger.

My proposal is to {*}completely remove JDNI{*}, which leads to arbitrary code execution ({+}why is this in a logging library?{+}). This feature is used by less than 0.001% of log4j users (in my measurements). 

My second proposal is to have features such as placeholders +disabled by default+ (it is rare that these are needed under normal circumstances, their parsing is slow and has posed several security issues in the past)



--
This message was sent by Atlassian Jira
(v8.20.1#820001)