You are viewing a plain text version of this content. The canonical link for it is here.
Posted to log4j-dev@logging.apache.org by "Remko Popma (JIRA)" <ji...@apache.org> on 2016/11/05 13:52:58 UTC
[jira] [Assigned] (LOG4J2-1226) Message instances are simply
serialized. They mustn't.
[ https://issues.apache.org/jira/browse/LOG4J2-1226?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Remko Popma reassigned LOG4J2-1226:
-----------------------------------
Assignee: Remko Popma
> Message instances are simply serialized. They mustn't.
> ------------------------------------------------------
>
> Key: LOG4J2-1226
> URL: https://issues.apache.org/jira/browse/LOG4J2-1226
> Project: Log4j 2
> Issue Type: Bug
> Components: API
> Affects Versions: 2.5
> Reporter: Joern Huxhorn
> Assignee: Remko Popma
>
> Right now, any Message instance used to call any log method are simply sent as they are.
> Instead, the {{Throwable}} must be transformed into a {{ThrowableProxy}}. Custom {{Message}} implementations must be transformed into one of log4j's standard message implementations and care must be taken to convert the {{Parameters}} {{Object[]}} into {{String[]}} before the message is serialized.
> Otherwise, deserialization will fail if a custom {{Throwable}}, custom {{Message}} or custom parameter is not contained in the classpath of the application receiving the serialized {{LogEvent}}.
> I found those issues while implementing the circumvention for [Apache Commons statement to widespread Java object de-serialisation vulnerability|https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread] in [Lilith|http://lilithapp.com].
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org