Serge Huber created KARAF-7061:
----------------------------------
Summary: Add default message escaping for Log4J2 configuration to
help prevent log injection attacks
Key: KARAF-7061
URL: https://issues.apache.org/jira/browse/KARAF-7061
Project: Karaf
Issue Type: Improvement
Components: karaf
Affects Versions: 4.2.10, 4.3.0
Reporter: Serge Huber
As recommended in
https://www.linuxsecrets.com/owasp-wiki/index.php/Injection_Prevention_Cheat_Sheet_in_Java.html#Example_using_Log4j2
to prevent log injections of CRLF or HTML code (which could be exploited if the
logs are displayed in an HTML page), we should change the default log4j2
pattern in Karaf from:
{code}
log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} -
%X{bundle.name} - %X{bundle.version} | %m%n
{code}
to something like this:
{code}
log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} -
%X{bundle.name} - %X{bundle.version} | %encode{%.-500m}%n
{code}
See :
This would limit the message to 500 characters to prevent sending huge messages
and will turn on the default HTML escaping which escapes for CRLF and any HTML
tags such as <script>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
