[
https://issues.apache.org/jira/browse/LOG4J2-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mikael Ståldal updated LOG4J2-1958:
-----------------------------------
Description:
Due to inherent security weakness of Java object serialization, see
https://www.owasp.org/index.php/Deserialization_of_untrusted_data, we should
deprecate SerializedLayout and discourage its use. We should also remove it as
default from the appenders which currently has it:
* SocketAppender
* JmsAppender
For the time being, we can recommend using JsonLayout as a replacement.
was:
Due to inherent security weakness of Java object serialization, see
CVE-2017-5645, we should deprecate SerializedLayout and discourage its use. We
should also remove it as default from the appenders which currently has it:
* SocketAppender
* JmsAppender
For the time being, we can recommend using JsonLayout as a replacement.
> Deprecate SerializedLayout and remove it as default
> ---------------------------------------------------
>
> Key: LOG4J2-1958
> URL: https://issues.apache.org/jira/browse/LOG4J2-1958
> Project: Log4j 2
> Issue Type: Task
> Components: Appenders, Layouts
> Affects Versions: 2.8.2
> Reporter: Mikael Ståldal
> Assignee: Mikael Ståldal
> Fix For: 2.9
>
>
> Due to inherent security weakness of Java object serialization, see
> https://www.owasp.org/index.php/Deserialization_of_untrusted_data, we should
> deprecate SerializedLayout and discourage its use. We should also remove it
> as default from the appenders which currently has it:
> * SocketAppender
> * JmsAppender
> For the time being, we can recommend using JsonLayout as a replacement.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
