[jira] [Assigned] (LOG4J2-3216) CVE-2021-44228 applicability to Json Layout log messages

["Volkan Yazici (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/LOG4J2-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Volkan Yazici reassigned LOG4J2-3216:
-------------------------------------

    Assignee: Volkan Yazici

> CVE-2021-44228 applicability to Json Layout log messages
> --------------------------------------------------------
>
>                 Key: LOG4J2-3216
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3216
>             Project: Log4j 2
>          Issue Type: Question
>    Affects Versions: 2.13.3
>         Environment: Linux based Java Containerized services deployed in kubernetes cluster.
>            Reporter: kiranmayi
>            Assignee: Volkan Yazici
>            Priority: Major
>
> Hi,
> We are exploring whether CVE-2021-44228 is applicable to JSON layout statements.
> In our analysis, we found that JNDI lookups are not triggered by Log4j for JSON layout and messages printing as below (value is printed as it is, no JNDI lookup is triggered in Log4j):
> “{"thread":"ingress-h2c-nio-2","level":"WARN","loggerName":"x.x.x.x","message":"{*}Vulnerability Header: ${jndi:ldap://127.0.0.1:3089/o=reference}{*}","endOfBatch":false,"loggerFqcn":"org.apache.logging.log4j.spi.AbstractLogger","instant":\{"epochSecond":1639395879,"nanoOfSecond":612537400},"contextMap":\{"ocLogId":"1639395879561_107_localhost"},"threadId":107,"threadPriority":5,"messageTimestamp":"2021-12-13T17:14:39.612+0530","ocLogId":"1639395879561_107_localhost","pod":"${ctx:hostname}","processId":"10912","instanceType":"prod","ingressTxId":"${ctx:ingressTxId}"}”
>  
> Can you please confirm if the CVE is not applicable to JSON Layout messages.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)