WesternGun commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992625115
Reading the documentations of Apache Log4J 1.x https://logging.apache.org/log4j/2.x/manual/appenders.html#JMSAppender, I see a parameter configuring the protocol to use in the JMS appender. > | Parameter Name | Type | Default | Description | | -- | -- | -- | -- | | allowdLdapClasses | String | null | A comma separated list of fully qualified class names that may be accessed by LDAP. The classes must implement Serializable. Only applies when the JMS Appender By default only Java primative classes are allowed. | allowdLdapHosts | String | null | A comma separated list of host names or ip addresses that may be accessed by LDAP. By default only the local host names and ip addresses are allowed. | allowdJndiProtocols | String | null | A comma separated list of protocol names that JNDI will allow. By default only java, ldap, and ldaps are the only allowed protocols. Do you think changing these params and make sure ldap is not used, can guard us from this vulnerability of Log4j 1.x? Of course we need to upgrade, but as a workaround now... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
