[jira] [Commented] (LOG4J2-3207) Move JNDI / network lookups out of the core module

Mon, 13 Dec 2021 03:08:55 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458304#comment-17458304
 ] 

Volkan Yazici commented on LOG4J2-3207:
---------------------------------------

Thanks for reaching out to us [~ches]! The upcoming 2.16.0 will remove message 
lookups completely and disable JNDI by default. Put another way, messages will 
be logged as is, there will be no interpolation of any sort. Second, JNDI will 
be disabled by default, hence it needs to be explicitly enabled even for use in 
configuration files. I guess these changes address your concerns, if so I would 
appreciate it if you can close the ticket. Otherwise, please feel free to 
comment. 

> Move JNDI / network lookups out of the core module
> --------------------------------------------------
>
>                 Key: LOG4J2-3207
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3207
>             Project: Log4j 2
>          Issue Type: Wish
>          Components: Core
>            Reporter: Ches Martin
>            Priority: Minor
>
> I don't wish to dogpile on maintainers during a difficult time (the 
> vulnerability of LOG4J2-3201 / LOG4J2-3198), however:
> The surface of what can go wrong with this functionality is vast. A primary 
> motivation for it originally in LOG4J2-313 was context selection, and 
> anecdotally at least, web application containers are a diminishing deployment 
> model in industry.
> In my operation of first- and third-party systems, I do not want this 
> functionality to be used, or at least for any use to draw a high degree of 
> scrutiny.
> Thus I'd like to propose that JNDI lookups require a dedicated dependency 
> such as {{log4j-jndi}} without which {{${jndi:}}} lookups should not function.
> While a crucial part of the issue was a sanitization one (LOG4J2-3198) which 
> could have dangers with nearly any lookup plugin, lookups involving any form 
> of network access are of particular concern. Docker and Kubernetes lookups 
> may thus belong in the scope of this request also.
> It would be an improvement to me if only the {{java}} JNDI protocol was 
> supported in Core, but much easier to audit if {{${jndi:}}} is altogether 
> unsupported.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to