kiranmayi created LOG4J2-3216:
---------------------------------
Summary: CVE-2021-44228 applicability to Json Layout log messages
Key: LOG4J2-3216
URL: https://issues.apache.org/jira/browse/LOG4J2-3216
Project: Log4j 2
Issue Type: Question
Affects Versions: 2.13.3
Environment: Linux based Java Containerized services deployed in
kubernetes cluster.
Reporter: kiranmayi
Hi,
We are exploring whether CVE-2021-44228 is applicable to JSON layout statements.
In our analysis, we found that JNDI lookups are not triggered by Log4j for JSON
layout and messages printing as below (value is printed as it is, no JNDI
lookup is triggered in Log4j):
“{"thread":"ingress-h2c-nio-2","level":"WARN","loggerName":"x.x.x.x","message":"{*}Vulnerability
Header:
${jndi:ldap://127.0.0.1:3089/o=reference}{*}","endOfBatch":false,"loggerFqcn":"org.apache.logging.log4j.spi.AbstractLogger","instant":\{"epochSecond":1639395879,"nanoOfSecond":612537400},"contextMap":\{"ocLogId":"1639395879561_107_localhost"},"threadId":107,"threadPriority":5,"messageTimestamp":"2021-12-13T17:14:39.612+0530","ocLogId":"1639395879561_107_localhost","pod":"${ctx:hostname}","processId":"10912","instanceType":"prod","ingressTxId":"${ctx:ingressTxId}"}”
Can you please confirm if the CVE is not applicable to JSON Layout messages.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
