JNDI was only part of the issue but we did indeed seek to sanitize JNDI as much as we could in 2.15.0. However, we felt it best to disable it by default in 2.16.0 so that it would be more difficult to accidentally use. We will continue to look to improve that sanitization logic so that users who do use JNDI can do it as safely as possible or, if users request it, we may seek to add similar functionality using alternate APIs.
I hope that answers your question. Ralph > On Dec 13, 2021, at 12:21 AM, Dash a <[email protected]> wrote: > > Hello, > Sorry to strom in for a disscusion that probably happened internally but > correct me if I am wrong the solution offered doesn't seems to fix the > original issue which appear to be due to lack of sanitization but rather > disable it by default > > This seems a bit lacking if it is the case as if some software happen to > have a use case for the feature they will be forced to apply each his own > variant solution and otherwise can be accessed by other vulnerabilities. > > Hope you could verify regarding those concerns > Daniel
