garydgregory commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992591852
> Thanks a lot for all of your efforts regarding this fix. > > Does changing the log level to OFF also close the attack vector for Log4J 2.x? From our docs: The set of built-in levels includes ALL, TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and OFF. Log4j 2 also supports custom log levels. Another mechanism for getting more granularity is to use Markers instead. The OFF and ALL levels are not intended to be used on calls to the logging API. Specifying OFF in the configuration implies no logging events should match while specifying ALL would mean all events match, including custom events. However, OFF can be used on logging API calls in special cases where the event should always be logged regardless of the configuration. However, it is generally recommended that a Marker with a corresponding global Marker Filter be used instead. See https://logging.apache.org/log4j/2.x/manual/architecture.html -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
