[
https://issues.apache.org/jira/browse/LOG4J2-3242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462337#comment-17462337
]
ASF subversion and git services commented on LOG4J2-3242:
---------------------------------------------------------
Commit a70e2383caf70c2cb2fe827e6eb136109ed57c25 in logging-log4j2's branch
refs/heads/release-2.12.x/LOG4J2-3242 from Gary Gregory
[ https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=a70e238 ]
[LOG4J2-3242] Rename JNDI enablement property from 'log4j2.enableJndi'
to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and
'log4j2.enableJndiContextSelector'.
Cherry-pick from branch release-2.x, resolve conflicts, and tweak.
> Limit JNDI to the java protocol only
> ------------------------------------
>
> Key: LOG4J2-3242
> URL: https://issues.apache.org/jira/browse/LOG4J2-3242
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.16.0
> Reporter: Ralph Goers
> Priority: Major
> Fix For: 2.17.1
>
>
> The use of JNDI to access anything besides the java protocol has proven to be
> insecure. Use of anything but that must be disabled. JNDI needs to remain
> disabled by default.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
