[
https://issues.apache.org/jira/browse/LOG4J2-3207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volkan Yazici reassigned LOG4J2-3207:
-------------------------------------
Assignee: Volkan Yazici
> Move JNDI / network lookups out of the core module
> --------------------------------------------------
>
> Key: LOG4J2-3207
> URL: https://issues.apache.org/jira/browse/LOG4J2-3207
> Project: Log4j 2
> Issue Type: Wish
> Components: Core
> Reporter: Ches Martin
> Assignee: Volkan Yazici
> Priority: Minor
> Fix For: 2.16.0
>
>
> I don't wish to dogpile on maintainers during a difficult time (the
> vulnerability of LOG4J2-3201 / LOG4J2-3198), however:
> The surface of what can go wrong with this functionality is vast. A primary
> motivation for it originally in LOG4J2-313 was context selection, and
> anecdotally at least, web application containers are a diminishing deployment
> model in industry.
> In my operation of first- and third-party systems, I do not want this
> functionality to be used, or at least for any use to draw a high degree of
> scrutiny.
> Thus I'd like to propose that JNDI lookups require a dedicated dependency
> such as {{log4j-jndi}} without which {{${jndi:}}} lookups should not function.
> While a crucial part of the issue was a sanitization one (LOG4J2-3198) which
> could have dangers with nearly any lookup plugin, lookups involving any form
> of network access are of particular concern. Docker and Kubernetes lookups
> may thus belong in the scope of this request also.
> It would be an improvement to me if only the {{java}} JNDI protocol was
> supported in Core, but much easier to audit if {{${jndi:}}} is altogether
> unsupported.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
