You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/12/11 23:07:00 UTC

[jira] [Commented] (LOG4J2-3208) Disable JNDI by default

    [ https://issues.apache.org/jira/browse/LOG4J2-3208?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457763#comment-17457763 ] 

ASF subversion and git services commented on LOG4J2-3208:
---------------------------------------------------------

Commit c362aff473e9812798ff8f25f30a2619996605d5 in logging-log4j2's branch refs/heads/release-2.x from Ralph Goers
[ https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=c362aff ]

LOG4J2-3208 - Disable JNDI by default


> Disable JNDI by default
> -----------------------
>
>                 Key: LOG4J2-3208
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3208
>             Project: Log4j 2
>          Issue Type: Story
>          Components: Core
>    Affects Versions: 2.15.0
>            Reporter: Ralph Goers
>            Priority: Major
>             Fix For: 2.15.1
>
>
> Dealing with CVE-2021-4422 has shown the JNDI has significant security issues. While we have mitigated what we are aware of it would be safer for users to completely disable it by default, especially since the large majority are unlikely to be using it. Those who are will need to specify -Dlog4j2.enableJndi=true or the environment variable form of it to use any JNDI components.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)