[jira] [Commented] (LOG4J2-1959) Disable DTD processing in XML configuration files

JIRA Thu, 29 Jun 2017 10:57:32 -0700

    [ 
https://issues.apache.org/jira/browse/LOG4J2-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068709#comment-16068709
 ]


Mikael Ståldal commented on LOG4J2-1959:
----------------------------------------

Lower privileged users are not supposed to upload a configuration files to 
Log4j.

This is a "just in case" / defence-in-depth fix.

It is possible to upload configuration [via 
JMX|http://logging.apache.org/log4j/2.x/manual/jmx.html], but you are not 
supposed to give lower privileged users access to JMX.


> Disable DTD processing in XML configuration files
> -------------------------------------------------
>
>                 Key: LOG4J2-1959
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1959
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Configurators
>    Affects Versions: 2.8.2
>            Reporter: Mikael Ståldal
>            Assignee: Mikael Ståldal
>             Fix For: 2.9
>
>
> For security reasons, DTD processing should be disabled when parsing XML 
> configuration files.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (LOG4J2-1959) Disable DTD processing in XML configuration files

Reply via email to