riven8192 opened a new pull request #649: URL: https://github.com/apache/logging-log4j2/pull/649
To address the log4j jndi-vulnerability, many companies have removed JndiLookup.class from the artifact, whether or not they upgraded log4j2. This is a safeguard against the potential of newly discovered routes to JndiLookup, which are not yet patched. We would rather remove the JndiLookup alltogether, to take away the core issue: that a logging-api should not allow code-execution, not matter how each patch tries to limit access to this class. In 2.17.0 the check for the JndiLookup class is based on a FQCN: "org.apache.logging.log4j.core.lookup.JndiLookup" However, in the master-branch, we see a dependency on: JndiLookup.class.getName(), which in the case of a removed class-file, would fail the loading of *any* interpolator-plugin, as all checks will cause an exception, and handleError to be executed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
