Ralph Goers created LOG4J2-3208:
-----------------------------------
Summary: Disable JNDI by default
Key: LOG4J2-3208
URL: https://issues.apache.org/jira/browse/LOG4J2-3208
Project: Log4j 2
Issue Type: Story
Components: Core
Affects Versions: 2.15.0
Reporter: Ralph Goers
Fix For: 2.15.1
Dealing with CVE-2021-4422 has shown the JNDI has significant security issues.
While we have mitigated what we are aware of it would be safer for users to
completely disable it by default, especially since the large majority are
unlikely to be using it. Those who are will need to specify
-Dlog4j2.enableJndi=true or the environment variable form of it to use any JNDI
components.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
