[
https://issues.apache.org/jira/browse/LOG4J2-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16069028#comment-16069028
]
ASF subversion and git services commented on LOG4J2-1958:
---------------------------------------------------------
Commit 70677348c98b51e6bbe73466a66b77301c1b71df in logging-log4j2's branch
refs/heads/master from [~garydgregory]
[ https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=7067734 ]
[LOG4J2-1958] Deprecate SerializedLayout and remove it as default.
> Deprecate SerializedLayout and remove it as default
> ---------------------------------------------------
>
> Key: LOG4J2-1958
> URL: https://issues.apache.org/jira/browse/LOG4J2-1958
> Project: Log4j 2
> Issue Type: Task
> Components: Appenders, Layouts
> Affects Versions: 2.8.2
> Reporter: Mikael Ståldal
> Assignee: Mikael Ståldal
> Fix For: 2.9
>
>
> Due to inherent security weakness of Java object serialization, see
> https://www.owasp.org/index.php/Deserialization_of_untrusted_data, we should
> deprecate SerializedLayout and discourage its use. We should also remove it
> as default from the appenders which currently has it:
> * SocketAppender
> * JmsAppender
> For the time being, we can recommend using JsonLayout as a replacement.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
