You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Ralph Goers (Jira)" <ji...@apache.org> on 2022/02/19 07:57:00 UTC

[jira] [Closed] (LOG4J2-3294) Default to having placeholders off in log4j and remove JDNI lookups

     [ https://issues.apache.org/jira/browse/LOG4J2-3294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ralph Goers closed LOG4J2-3294.
-------------------------------
    Resolution: Not A Problem

JNDI is in the library because it is still used by JEE applications as well as JMS and JDBC in some circumstances. I would guess well over 80% of Log4j users use property substitution (although Matt's guess is probably closer). 

Log4j 2.17.2 has fixed property substitution so that Lookup recursion is no longer necessary or allowed. 

I am closing this since a) it covers multiple topics and b) everything mentioned has been covered to the degree it needs to be.

> Default to having placeholders off in log4j and remove JDNI lookups
> -------------------------------------------------------------------
>
>                 Key: LOG4J2-3294
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3294
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Appenders
>    Affects Versions: 2.13.0, 2.14.0, 2.15.0, 2.16.0, 2.17.0
>         Environment: Java 17
>            Reporter: jamie fisher
>            Priority: Critical
>
> Log4j keeps having RCE bugs and security issues relating to placeholders ${like:this}
> Normally when a product has multiple severe security problems we would just use something else, but for many people they cannot change to another less bloated logger.
> My proposal is to {*}completely remove JDNI{*}, which leads to arbitrary code execution ({+}why is this in a logging library?{+}). This feature is used by less than 0.001% of log4j users (in my measurements). 
> My second proposal is to have features such as placeholders +disabled by default+ (it is rare that these are needed under normal circumstances, their parsing is slow and has posed several security issues in the past)



--
This message was sent by Atlassian Jira
(v8.20.1#820001)