This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/release-2.x by this push:
new c77b3cb Restrict LDAP access via JNDI (#608)
c77b3cb is described below
commit c77b3cb39312b83b053d23a2158b99ac7de44dd3
Author: Ralph Goers <[email protected]>
AuthorDate: Sat Dec 4 21:03:32 2021 -0700
Restrict LDAP access via JNDI (#608)
* Restrict LDAP access via JNDI
* Disable most JNDI protocols
* Rename test. Various minor fixes
* LOG4J2-3201 - Limit the protocols JNDI can use by default. Limit the
servers and classes that can be accessed via LDAP.
---
log4j-core/pom.xml | 5 +
.../log4j/core/appender/mom/JmsAppender.java | 42 +++++-
.../apache/logging/log4j/core/net/JndiManager.java | 120 ++++++++++++++++-
.../apache/logging/log4j/core/util/NetUtils.java | 48 +++++++
.../logging/log4j/core/lookup/JndiExploit.java | 36 ++++++
.../core/lookup/JndiRestrictedLookupTest.java | 144 +++++++++++++++++++++
.../src/test/resources/JndiRestrictedLookup.ldif | 4 +
pom.xml | 7 +
src/changes/changes.xml | 3 +
src/site/xdoc/manual/appenders.xml | 27 ++++
src/site/xdoc/manual/configuration.xml.vm | 26 ++++
src/site/xdoc/manual/extending.xml | 5 +-
src/site/xdoc/manual/lookups.xml | 7 +
13 files changed, 465 insertions(+), 9 deletions(-)
diff --git a/log4j-core/pom.xml b/log4j-core/pom.xml
index 9c6cabe..01b5e70 100644
--- a/log4j-core/pom.xml
+++ b/log4j-core/pom.xml
@@ -349,6 +349,11 @@
<artifactId>awaitility</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.zapodot</groupId>
+ <artifactId>embedded-ldap-junit</artifactId>
+ <scope>test</scope>
+ </dependency>
</dependencies>
<build>
<plugins>
diff --git
a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java
b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java
index ddac666..35f5b10 100644
---
a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java
+++
b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java
@@ -88,6 +88,15 @@ public class JmsAppender extends AbstractAppender {
@PluginBuilderAttribute
private boolean immediateFail;
+ @PluginBuilderAttribute
+ private String allowedLdapClasses;
+
+ @PluginBuilderAttribute
+ private String allowedLdapHosts;
+
+ @PluginBuilderAttribute
+ private String allowedJndiProtocols;
+
// Programmatic access only for now.
private JmsManager jmsManager;
@@ -100,8 +109,21 @@ public class JmsAppender extends AbstractAppender {
JmsManager actualJmsManager = jmsManager;
JmsManagerConfiguration configuration = null;
if (actualJmsManager == null) {
+ Properties additionalProperties = null;
+ if (allowedLdapClasses != null || allowedLdapHosts != null) {
+ additionalProperties = new Properties();
+ if (allowedLdapHosts != null) {
+ additionalProperties.put(JndiManager.ALLOWED_HOSTS,
allowedLdapHosts);
+ }
+ if (allowedLdapClasses != null) {
+ additionalProperties.put(JndiManager.ALLOWED_CLASSES,
allowedLdapClasses);
+ }
+ if (allowedJndiProtocols != null) {
+
additionalProperties.put(JndiManager.ALLOWED_PROTOCOLS, allowedJndiProtocols);
+ }
+ }
final Properties jndiProperties =
JndiManager.createProperties(factoryName, providerUrl, urlPkgPrefixes,
- securityPrincipalName, securityCredentials, null);
+ securityPrincipalName, securityCredentials,
additionalProperties);
configuration = new JmsManagerConfiguration(jndiProperties,
factoryBindingName, destinationBindingName,
userName, password, false, reconnectIntervalMillis);
actualJmsManager = AbstractManager.getManager(getName(),
JmsManager.FACTORY, configuration);
@@ -202,6 +224,21 @@ public class JmsAppender extends AbstractAppender {
return this;
}
+ public Builder setAllowedLdapClasses(final String allowedLdapClasses) {
+ this.allowedLdapClasses = allowedLdapClasses;
+ return this;
+ }
+
+ public Builder setAllowedLdapHosts(final String allowedLdapHosts) {
+ this.allowedLdapHosts = allowedLdapHosts;
+ return this;
+ }
+
+ public Builder setAllowedJndiProtocols(final String
allowedJndiProtocols) {
+ this.allowedJndiProtocols = allowedJndiProtocols;
+ return this;
+ }
+
/**
* Does not include the password.
*/
@@ -212,7 +249,8 @@ public class JmsAppender extends AbstractAppender {
+ ", securityCredentials=" + securityCredentials + ",
factoryBindingName=" + factoryBindingName
+ ", destinationBindingName=" + destinationBindingName +
", username=" + userName + ", layout="
+ getLayout() + ", filter=" + getFilter() + ",
ignoreExceptions=" + isIgnoreExceptions()
- + ", jmsManager=" + jmsManager + "]";
+ + ", jmsManager=" + jmsManager + ", allowedLdapClasses=" +
allowedLdapClasses
+ + ", allowedLdapHosts=" + allowedLdapHosts + ",
allowedJndiProtocols=" + allowedJndiProtocols + "]";
}
}
diff --git
a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
index 2670857..2d7604f 100644
---
a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
+++
b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
@@ -17,31 +17,69 @@
package org.apache.logging.log4j.core.net;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import javax.naming.Context;
-import javax.naming.InitialContext;
+import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
import org.apache.logging.log4j.core.appender.AbstractManager;
import org.apache.logging.log4j.core.appender.ManagerFactory;
import org.apache.logging.log4j.core.util.JndiCloser;
+import org.apache.logging.log4j.core.util.NetUtils;
+import org.apache.logging.log4j.util.PropertiesUtil;
/**
- * Manages a JNDI {@link javax.naming.Context}.
+ * Manages a JNDI {@link javax.naming.directory.DirContext}.
*
* @since 2.1
*/
public class JndiManager extends AbstractManager {
+ public static final String ALLOWED_HOSTS = "allowedLdapHosts";
+ public static final String ALLOWED_CLASSES = "allowedLdapClasses";
+ public static final String ALLOWED_PROTOCOLS = "allowedJndiProtocols";
+
private static final JndiManagerFactory FACTORY = new JndiManagerFactory();
+ private static final String PREFIX = "log4j2.";
+ private static final String LDAP = "ldap";
+ private static final String LDAPS = "ldaps";
+ private static final String JAVA = "java";
+ private static final List<String> permanentAllowedHosts =
NetUtils.getLocalIps();
+ private static final List<String> permanentAllowedClasses =
Arrays.asList(Boolean.class.getName(),
+ Byte.class.getName(), Character.class.getName(),
Double.class.getName(), Float.class.getName(),
+ Integer.class.getName(), Long.class.getName(),
Short.class.getName(), String.class.getName());
+ private static final List<String> permanentAllowedProtocols =
Arrays.asList(JAVA, LDAP, LDAPS);
+ private static final String SERIALIZED_DATA = "javaSerializedData";
+ private static final String CLASS_NAME = "javaClassName";
+ private static final String REFERENCE_ADDRESS = "javaReferenceAddress";
+ private static final String OBJECT_FACTORY = "javaFactory";
+ private final List<String> allowedHosts;
+ private final List<String> allowedClasses;
+ private final List<String> allowedProtocols;
- private final Context context;
+ private final DirContext context;
- private JndiManager(final String name, final Context context) {
+ private JndiManager(final String name, final DirContext context, final
List<String> allowedHosts,
+ final List<String> allowedClasses, final List<String>
allowedProtocols) {
super(null, name);
this.context = context;
+ this.allowedHosts = allowedHosts;
+ this.allowedClasses = allowedClasses;
+ this.allowedProtocols = allowedProtocols;
}
/**
@@ -168,7 +206,54 @@ public class JndiManager extends AbstractManager {
* @throws NamingException if a naming exception is encountered
*/
@SuppressWarnings("unchecked")
- public <T> T lookup(final String name) throws NamingException {
+ public synchronized <T> T lookup(final String name) throws NamingException
{
+ try {
+ URI uri = new URI(name);
+ if (uri.getScheme() != null) {
+ if
(!allowedProtocols.contains(uri.getScheme().toLowerCase(Locale.ROOT))) {
+ LOGGER.warn("Log4j JNDI does not allow protocol {}",
uri.getScheme());
+ return null;
+ }
+ if (LDAP.equalsIgnoreCase(uri.getScheme()) ||
LDAPS.equalsIgnoreCase(uri.getScheme())) {
+ if (!allowedHosts.contains(uri.getHost())) {
+ LOGGER.warn("Attempt to access ldap server not in
allowed list");
+ return null;
+ }
+ Attributes attributes = this.context.getAttributes(name);
+ if (attributes != null) {
+ // In testing the "key" for attributes seems to be
lowercase while the attribute id is
+ // camelcase, but that may just be true for the test
LDAP used here. This copies the Attributes
+ // to a Map ignoring the "key" and using the
Attribute's id as the key in the Map so it matches
+ // the Java schema.
+ Map<String, Attribute> attributeMap = new HashMap<>();
+ NamingEnumeration<? extends Attribute> enumeration =
attributes.getAll();
+ while (enumeration.hasMore()) {
+ Attribute attribute = enumeration.next();
+ attributeMap.put(attribute.getID(), attribute);
+ }
+ Attribute classNameAttr = attributeMap.get(CLASS_NAME);
+ if (attributeMap.get(SERIALIZED_DATA) != null) {
+ if (classNameAttr != null) {
+ String className =
classNameAttr.get().toString();
+ if (!allowedClasses.contains(className)) {
+ LOGGER.warn("Deserialization of {} is not
allowed", className);
+ return null;
+ }
+ } else {
+ LOGGER.warn("No class name provided for {}",
name);
+ return null;
+ }
+ } else if (attributeMap.get(REFERENCE_ADDRESS) != null
+ || attributeMap.get(OBJECT_FACTORY) != null) {
+ LOGGER.warn("Referenceable class is not allowed
for {}", name);
+ return null;
+ }
+ }
+ }
+ }
+ } catch (URISyntaxException ex) {
+ // This is OK.
+ }
return (T) this.context.lookup(name);
}
@@ -176,13 +261,36 @@ public class JndiManager extends AbstractManager {
@Override
public JndiManager createManager(final String name, final Properties
data) {
+ String hosts = data != null ? data.getProperty(ALLOWED_HOSTS) :
null;
+ String classes = data != null ? data.getProperty(ALLOWED_CLASSES)
: null;
+ String protocols = data != null ?
data.getProperty(ALLOWED_PROTOCOLS) : null;
+ List<String> allowedHosts = new ArrayList<>();
+ List<String> allowedClasses = new ArrayList<>();
+ List<String> allowedProtocols = new ArrayList<>();
+ addAll(hosts, allowedHosts, permanentAllowedHosts, ALLOWED_HOSTS,
data);
+ addAll(classes, allowedClasses, permanentAllowedClasses,
ALLOWED_CLASSES, data);
+ addAll(protocols, allowedProtocols, permanentAllowedProtocols,
ALLOWED_PROTOCOLS, data);
try {
- return new JndiManager(name, new InitialContext(data));
+ return new JndiManager(name, new InitialDirContext(data),
allowedHosts, allowedClasses,
+ allowedProtocols);
} catch (final NamingException e) {
LOGGER.error("Error creating JNDI InitialContext.", e);
return null;
}
}
+
+ private void addAll(String toSplit, List<String> list, List<String>
permanentList, String propertyName,
+ Properties data) {
+ if (toSplit != null) {
+ list.addAll(Arrays.asList(toSplit.split("\\s*,\\s*")));
+ data.remove(propertyName);
+ }
+ toSplit = PropertiesUtil.getProperties().getStringProperty(PREFIX
+ propertyName);
+ if (toSplit != null) {
+ list.addAll(Arrays.asList(toSplit.split("\\s*,\\s*")));
+ }
+ list.addAll(permanentList);
+ }
}
@Override
diff --git
a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java
b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java
index 8a8353e..661f74f 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java
@@ -17,6 +17,8 @@
package org.apache.logging.log4j.core.util;
import java.io.File;
+import java.net.Inet4Address;
+import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.NetworkInterface;
@@ -25,11 +27,14 @@ import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.UnknownHostException;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
+import java.util.List;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.status.StatusLogger;
+import org.apache.logging.log4j.util.Strings;
/**
* Networking-related convenience methods.
@@ -80,6 +85,49 @@ public final class NetUtils {
}
/**
+ * Returns all the local host names and ip addresses.
+ * @return The local host names and ip addresses.
+ */
+ public static List<String> getLocalIps() {
+ List<String> localIps = new ArrayList<>();
+ localIps.add("localhost");
+ localIps.add("127.0.0.1");
+ try {
+ final InetAddress addr = Inet4Address.getLocalHost();
+ setHostName(addr, localIps);
+ } catch (final UnknownHostException ex) {
+ // Ignore this.
+ }
+ try {
+ final Enumeration<NetworkInterface> interfaces =
NetworkInterface.getNetworkInterfaces();
+ if (interfaces != null) {
+ while (interfaces.hasMoreElements()) {
+ final NetworkInterface nic = interfaces.nextElement();
+ final Enumeration<InetAddress> addresses =
nic.getInetAddresses();
+ while (addresses.hasMoreElements()) {
+ final InetAddress address = addresses.nextElement();
+ setHostName(address, localIps);
+ }
+ }
+ }
+ } catch (final SocketException se) {
+ // ignore.
+ }
+ return localIps;
+ }
+
+ private static void setHostName(InetAddress address, List<String>
localIps) {
+ String[] parts = address.toString().split("\\s*/\\s*");
+ if (parts.length > 0) {
+ for (String part : parts) {
+ if (Strings.isNotBlank(part) && !localIps.contains(part)) {
+ localIps.add(part);
+ }
+ }
+ }
+ }
+
+ /**
* Returns the local network interface's MAC address if possible. The
local network interface is defined here as
* the {@link java.net.NetworkInterface} that is both up and not a
loopback interface.
*
diff --git
a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiExploit.java
b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiExploit.java
new file mode 100644
index 0000000..7b0ae46
--- /dev/null
+++
b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiExploit.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache license, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the license for the specific language governing permissions and
+ * limitations under the license.
+ */
+package org.apache.logging.log4j.core.lookup;
+
+import javax.naming.Context;
+import javax.naming.Name;
+import javax.naming.spi.ObjectFactory;
+import java.util.Hashtable;
+
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * Test LDAP object
+ */
+public class JndiExploit implements ObjectFactory {
+ @Override
+ public Object getObjectInstance(Object obj, Name name, Context nameCtx,
Hashtable<?, ?> environment)
+ throws Exception {
+ fail("getObjectInstance must not be allowed");
+ return null;
+ }
+}
diff --git
a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java
b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java
new file mode 100644
index 0000000..032c9c4
--- /dev/null
+++
b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java
@@ -0,0 +1,144 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache license, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the license for the specific language governing permissions and
+ * limitations under the license.
+ */
+package org.apache.logging.log4j.core.lookup;
+
+import javax.naming.Context;
+import javax.naming.NamingException;
+import javax.naming.Reference;
+import javax.naming.Referenceable;
+import javax.naming.StringRefAddr;
+
+import org.apache.logging.log4j.Level;
+import org.apache.logging.log4j.message.SimpleMessage;
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.zapodot.junit.ldap.EmbeddedLdapRule;
+import org.zapodot.junit.ldap.EmbeddedLdapRuleBuilder;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+/**
+ * JndiLookupTest
+ */
+public class JndiRestrictedLookupTest {
+
+ private static final String LDAP_URL = "ldap://127.0.0.1:";;
+ private static final String RESOURCE = "JndiExploit";
+ private static final String TEST_STRING = "TestString";
+ private static final String TEST_MESSAGE = "TestMessage";
+ private static final String LEVEL = "TestLevel";
+ private static final String DOMAIN_DSN = "dc=apache,dc=org";
+ private static final String DOMAIN = "apache.org";
+
+ @Rule
+ public EmbeddedLdapRule embeddedLdapRule =
EmbeddedLdapRuleBuilder.newInstance().usingDomainDsn(DOMAIN_DSN)
+ .importingLdifs("JndiRestrictedLookup.ldif").build();
+
+ @BeforeClass
+ public static void beforeClass() {
+ System.setProperty("log4j2.allowedLdapClasses", Level.class.getName());
+ System.setProperty("log4j2.allowedJndiProtocols", "dns");
+ }
+
+ @Test
+ public void testReferenceLookup() throws Exception {
+ int port = embeddedLdapRule.embeddedServerPort();
+ Context context = embeddedLdapRule.context();
+ context.bind( "cn=" + RESOURCE +"," + DOMAIN_DSN, new Fruit("Test
Message"));
+ final StrLookup lookup = new JndiLookup();
+ String result = lookup.lookup(LDAP_URL + port + "/" + "cn=" + RESOURCE
+ "," + DOMAIN_DSN);
+ if (result != null) {
+ fail("Lookup returned an object");
+ }
+ }
+
+ @Test
+ public void testSerializableLookup() throws Exception {
+ int port = embeddedLdapRule.embeddedServerPort();
+ Context context = embeddedLdapRule.context();
+ context.bind( "cn=" + TEST_STRING +"," + DOMAIN_DSN, "Test Message");
+ final StrLookup lookup = new JndiLookup();
+ String result = lookup.lookup(LDAP_URL + port + "/" + "cn=" +
TEST_STRING + "," + DOMAIN_DSN);
+ if (result == null) {
+ fail("Lookup failed to return the test string");
+ }
+ assertEquals("Incorrect message returned", "Test Message", result);
+ }
+
+ @Test
+ public void testBadSerializableLookup() throws Exception {
+ int port = embeddedLdapRule.embeddedServerPort();
+ Context context = embeddedLdapRule.context();
+ context.bind( "cn=" + TEST_MESSAGE +"," + DOMAIN_DSN, new
SimpleMessage("Test Message"));
+ final StrLookup lookup = new JndiLookup();
+ String result = lookup.lookup(LDAP_URL + port + "/" + "cn=" +
TEST_MESSAGE + "," + DOMAIN_DSN);
+ if (result != null) {
+ fail("Lookup returned an object");
+ }
+ }
+
+ @Test
+ public void testSpecialSerializableLookup() throws Exception {
+ int port = embeddedLdapRule.embeddedServerPort();
+ Context context = embeddedLdapRule.context();
+ context.bind( "cn=" + LEVEL +"," + DOMAIN_DSN, Level.ERROR);
+ final StrLookup lookup = new JndiLookup();
+ String result = lookup.lookup(LDAP_URL + port + "/" + "cn=" + LEVEL +
"," + DOMAIN_DSN);
+ if (result == null) {
+ fail("Lookup failed to return the level");
+ }
+ assertEquals("Incorrect level returned", Level.ERROR.toString(),
result);
+ }
+
+ @Test
+ public void testDnsLookup() throws Exception {
+ final StrLookup lookup = new JndiLookup();
+ String result = lookup.lookup("dns:/" + DOMAIN);
+ if (result == null) {
+ fail("No DNS data returned");
+ }
+ }
+
+ @Test
+ public void testNisLookup() throws Exception {
+ final StrLookup lookup = new JndiLookup();
+ String result = lookup.lookup("nis:/" + DOMAIN);
+ if (result != null) {
+ fail("NIS information should not have been returned");
+ }
+ }
+
+ class Fruit implements Referenceable {
+ String fruit;
+ public Fruit(String f) {
+ fruit = f;
+ }
+
+ public Reference getReference() throws NamingException {
+
+ return new Reference(Fruit.class.getName(), new
StringRefAddr("fruit",
+ fruit), JndiExploit.class.getName(), null); // factory
location
+ }
+
+ public String toString() {
+ return fruit;
+ }
+ }
+
+}
diff --git a/log4j-core/src/test/resources/JndiRestrictedLookup.ldif
b/log4j-core/src/test/resources/JndiRestrictedLookup.ldif
new file mode 100644
index 0000000..35daf43
--- /dev/null
+++ b/log4j-core/src/test/resources/JndiRestrictedLookup.ldif
@@ -0,0 +1,4 @@
+dn: dc=apache,dc=org
+objectClass: domain
+objectClass: top
+dc: apache
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 1e7204c..9a55dda 100644
--- a/pom.xml
+++ b/pom.xml
@@ -954,6 +954,13 @@
<version>3.0.0</version>
<scope>test</scope>
</dependency>
+ <!-- Testing LDAP -->
+ <dependency>
+ <groupId>org.zapodot</groupId>
+ <artifactId>embedded-ldap-junit</artifactId>
+ <version>0.8.1</version>
+ <scope>test</scope>
+ </dependency>
</dependencies>
</dependencyManagement>
<build>
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 247face..50893bf 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -110,6 +110,9 @@
Improve PatternLayout performance by reducing unnecessary indirection
and branching.
</action>
<!-- FIXES -->
+ <action issue="LOG4J2-3201" dev="rgoers" type="fix">
+ Limit the protocols JNDI can use by default. Limit the servers and
classes that can be accessed via LDAP.
+ </action>
<action issue="LOG4J2-3114" dev="rgoers" type="fix" due-to="Barnabas
Bodnar">
Enable immediate flush on RollingFileAppender when buffered i/o is not
enabled.
</action>
diff --git a/src/site/xdoc/manual/appenders.xml
b/src/site/xdoc/manual/appenders.xml
index 7249744..d634b8a 100644
--- a/src/site/xdoc/manual/appenders.xml
+++ b/src/site/xdoc/manual/appenders.xml
@@ -1556,6 +1556,33 @@ public class ConnectionFactory {
<th>Description</th>
</tr>
<tr>
+ <td>allowdLdapClasses</td>
+ <td>String</td>
+ <td>null</td>
+ <td>
+ A comma separated list of fully qualified class names that may
be accessed by LDAP. The classes
+ must implement Serializable. Only applies when the JMS
Appender By default only Java primative classes are allowed.
+ </td>
+ </tr>
+ <tr>
+ <td>allowdLdapHosts</td>
+ <td>String</td>
+ <td>null</td>
+ <td>
+ A comma separated list of host names or ip addresses that may
be accessed by LDAP. By default only
+ the local host names and ip addresses are allowed.
+ </td>
+ </tr>
+ <tr>
+ <td>allowdJndiProtocols</td>
+ <td>String</td>
+ <td>null</td>
+ <td>
+ A comma separated list of protocol names that JNDI will allow.
By default only java, ldap, and ldaps
+ are the only allowed protocols.
+ </td>
+ </tr>
+ <tr>
<td>factoryBindingName</td>
<td>String</td>
<td><em>Required</em></td>
diff --git a/src/site/xdoc/manual/configuration.xml.vm
b/src/site/xdoc/manual/configuration.xml.vm
index e298599..5393fed 100644
--- a/src/site/xdoc/manual/configuration.xml.vm
+++ b/src/site/xdoc/manual/configuration.xml.vm
@@ -2147,6 +2147,32 @@ public class AwesomeTest {
</td>
</tr>
<tr>
+ <td><a name="allowedLdapClasses"/>log4j2.allowedLdapClasses</td>
+ <td>LOG4J_ALLOWED_LDAP_CLASSES</td>
+ <td> </td>
+ <td>
+ System property that specifies fully qualified class names that may be
accessed by LDAP. The classes
+ must implement Serializable. By default only Java primative classes are
allowed.
+ </td>
+ </tr>
+ <tr>
+ <td><a name="allowedLdapHosts"/>log4j2.allowedLdapHosts</td>
+ <td>LOG4J_ALLOWED_LDAP_HOSTS</td>
+ <td> </td>
+ <td>
+ System property that adds host names or ip addresses that may be access
by LDAP. By default it only allows
+ the local host names and ip addresses.
+ </td>
+ </tr>
+ <tr>
+ <td><a name="allowedJndiProtocols"/>log4j2.allowedJndiProtocols</td>
+ <td>LOG4J_ALLOWED_JNDI_PROTOCOLS</td>
+ <td> </td>
+ <td>
+ System property that adds protocol names that JNDI will allow. By
default it only allows java, ldap, and ldaps.
+ </td>
+ </tr>
+ <tr>
<td><a name="uuidSequence"/>log4j2.uuidSequence
<br />
(<a
name="org.apache.logging.log4j.uuidSequence"/>org.apache.logging.log4j.uuidSequence)
diff --git a/src/site/xdoc/manual/extending.xml
b/src/site/xdoc/manual/extending.xml
index ba04d68..04c742a 100644
--- a/src/site/xdoc/manual/extending.xml
+++ b/src/site/xdoc/manual/extending.xml
@@ -92,7 +92,10 @@
<dd>Associates LoggerContexts with the ClassLoader that created
the caller of the getLogger call. This is
the default ContextSelector.</dd>
<dt><a class="javadoc"
href="../log4j-core/apidocs/org/apache/logging/log4j/core/selector/JndiContextSelector.html">JndiContextSelector</a></dt>
- <dd>Locates the LoggerContext by querying JNDI.</dd>
+ <dd>Locates the LoggerContext by querying JNDI. Please see <a
href="../manual/configuration.html#allowedJndiProtocols">log4j2.allowedJndiProtocols</a>,
+ <a
href="../manual/configuration.html#allowedLdapClasses">log4j2.allowedLdapClasses</a>,
and
+ <a
href="../manual/configuration.html#allowedLdapHosts">log4j2.allowedLdapHosts</a>
for restrictions on using JNDI
+ with Log4j.</dd>
<dt><a class="javadoc"
href="../log4j-core/apidocs/org/apache/logging/log4j/core/async/AsyncLoggerContextSelector.html">AsyncLoggerContextSelector</a></dt>
<dd>Creates a LoggerContext that ensures that all loggers are
AsyncLoggers.</dd>
<dt><a class="javadoc"
href="../log4j-core/apidocs/org/apache/logging/log4j/core/osgi/BundleContextSelector.html">BundleContextSelector</a></dt>
diff --git a/src/site/xdoc/manual/lookups.xml b/src/site/xdoc/manual/lookups.xml
index d699e78..cc6a66f 100644
--- a/src/site/xdoc/manual/lookups.xml
+++ b/src/site/xdoc/manual/lookups.xml
@@ -270,6 +270,13 @@
The JndiLookup allows variables to be retrieved via JNDI. By
default the key will be prefixed with
java:comp/env/, however if the key contains a ":" no prefix will
be added.
</p>
+ <p>By default the JDNI Lookup only supports the java, ldap, and
ldaps protocols or no protocol. Additional
+ protocols may be supported by specifying them on the
<code>log4j2.allowedJndiProtocols</code> property.
+ When using LDAP Java classes that implement the Referenceable
interface are not supported for security
+ reasons. Only the Java primative classes are supported by default
as well as any classes specified by the
+ <code>log4j2.allowedLdapClasses</code> property. When using LDAP
only references to the local host name
+ or ip address are supported along with any hosts or ip addresses
listed in the
+ <code>log4j2.allowedLdapHosts</code> property.</p>
<pre class="prettyprint linenums"><