Hi everyone, With the latest CVEs around log4j, we have seen that certain functionality of the JVM can be quite dangerous. Concretely, the JNDI functionality [1] seems to open quite a large attack vector against JVMs which has been used in the log4j CVE case.
In order to avoid these kinds of security issues, Stephan had the idea of looking into disabling the JNDI functionality by default. It is not clear whether this is easily doable but there exist some projects that do it for dedicated libraries [2]. That is why I wanted to reach out to the community to ask for help with this issue. Maybe you have encountered a similar problem in a different context and know how to deal with these issues. [1] https://docs.oracle.com/javase/jndi/tutorial/getStarted/overview/index.html#:~:text=The%20Java%20Naming%20and%20Directory,any%20specific%20directory%20service%20implementation . [2] https://github.com/nccgroup/log4j-jndi-be-gone Cheers, Till
