sunnypav commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990683057
I guess the RCE can be exploited by using a message which has a JNDI lookup which, is not possible in log4j 1.x as it doesn't support lookups. And JMS Appender can be added to logger either programmatically or from configuration couldn't quite understand how its affected. If the developer leave it to add the details like JNDI URL (JMS Appender from input, isn't it the issue of application instead of JMS appender ? But welcoming adding the support of allow/disallowing some of the JNDI protocols as well as hosts. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
