[jira] [Commented] (LOG4J2-2340) Do not print stack trace when environment variables access is restricted

Tue, 15 May 2018 01:17:39 -0700 

    [ 
https://issues.apache.org/jira/browse/LOG4J2-2340?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16475476#comment-16475476
 ] 

Sebastien Lannez commented on LOG4J2-2340:
------------------------------------------

log4j 2.11.0 API: 

[https://github.com/apache/logging-log4j2/blob/55800749851323647aff32a4da99cc03f7c3991a/log4j-api/src/main/java/org/apache/logging/log4j/util/EnvironmentPropertySource.java#L47]

The proposed code change is to simply remove the call to 
LowLevelLogUtil.logException.

 

> Do not print stack trace when environment variables access is restricted
> ------------------------------------------------------------------------
>
>                 Key: LOG4J2-2340
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-2340
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.11.0
>            Reporter: Sebastien Lannez
>            Priority: Major
>              Labels: security
>
> This issue is a security issue. 
> When running log4j in a restricted environment where the calling application 
> is not allowed to access environment variables, then when log4j initializes a 
> Logger our security manager raises a SecurityException because it tries to 
> get access to all environment variables (getenv.*). The current log4j code 
> properly catches the SecurityException and ignores it, which is correct as it 
> allows the application to continue. The issue is that it also prints the 
> exception message and the stack trace. 
> Printing the exception message is a bit too much in our context (the users do 
> not need to know about this issue: there is nothing he can do + the exception 
> is just ignored, which means even the core log4j does not handle this case). 
> But the most important issue is the stack trace printing, which can be 
> exploited by an attacker (provides information about class names that he 
> could impersonate).
>  I suggest two code changes (most important first):
> 1/ do not print the stack trace
> 2/ do not log the exception message



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to