[
https://issues.apache.org/jira/browse/LOG4J2-3290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17465526#comment-17465526
]
Ralph Goers commented on LOG4J2-3290:
-------------------------------------
Yes, it should be removed.
> NetUtils.getLocalIps() is error-prone
> -------------------------------------
>
> Key: LOG4J2-3290
> URL: https://issues.apache.org/jira/browse/LOG4J2-3290
> Project: Log4j 2
> Issue Type: Bug
> Reporter: Marcono1234
> Priority: Minor
>
> The method {{org.apache.logging.log4j.core.util.NetUtils.getLocalIps()}} is
> error-prone:
> - It does not document in which format the returned IP addresses are. IPv6
> addresses are not enclosed in square brackets, and may have an optional scope
> id, e.g. {{1080:0:0:0:8:800:200C:417A%eth3}}. This should be documented
> because some callers might expect enclosing square brackets.
> - It does not include the short form of the IPv6 loopback address: {{::1}}
> - Its results include temporary IP addresses. This causes the following
> issues, when during the runtime of an application the IP addresses are
> re-assigned by the provider:
> -- If the results of {{getLocalIps()}} were cached, parts of the application
> might break due to IP address change, because the newly assigned IP address
> is not considered a 'local IP' anymore.
> -- It might allow circumventing IP address filters when a malicious actor
> manages to get the previous IP address as their new address.
> {{NetUtils.getLocalIps()}} was only introduced for {{JndiManager}}, however
> with the recent changes the method does not appear to be used anymore (see
> LOG4J2-3242). Therefore, it might also be an option to remove the method
> again.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
