sunnypav edited a comment on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990683057
I guess the RCE can be exploited by using a message which has a JNDI lookup which, is not possible in log4j 1.x as it doesn't support lookups. And JMS Appender can be added to logger either programmatically or from configuration couldn't quite understand how its affected. If the developer leave it to add the details like JNDI URL (JMS Appender from input, isn't it the issue of application instead of JMS appender ? But welcoming adding the support of allow/disallowing some of the JNDI protocols as well as hosts. One suggestion from my side is to separate these appenders which communicates with external services as separate artifacts so that one using log4j core can clearly know or choose required appender artifacts and doesn't need to worry about something which they never gonna use. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
