Danny Brugman created LOG4J2-3311:
-------------------------------------
Summary: Interpolations in config file stop functioning when
JndiLookup.class is removed
Key: LOG4J2-3311
URL: https://issues.apache.org/jira/browse/LOG4J2-3311
Project: Log4j 2
Issue Type: Bug
Components: Lookups
Affects Versions: 2.16.0
Reporter: Danny Brugman
A commonly used mitigation for CVE-2021-44228 for systems that cannot be
updated (yet) is to remove the JndiLookup.class from the log4j-core jar. This
should not have any adverse effects besides disabling JNDI lookups altogether.
However, with version 2.16.0, interpolations/lookups in config files no longer
work when the JndiLookup.class is removed. Although the latest log4j releases
should completely fix the 'log4shell' issue, there are many users who don't
feel comfortable, and who will still remove the JndiLookup.class 'just to be
sure'.
The consequence is that log files might get written to unexpected directories,
using unexpected file names, etc. which might break log aggregation, which is a
security concern in itself.
I think all fixes for the recent log4j security problems should be 'backward
compatible' with earlier suggested fixes and workarounds.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
