[
https://issues.apache.org/jira/browse/LOG4J2-3311?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Danny Brugman closed LOG4J2-3311.
---------------------------------
Resolution: Invalid
Issue seems to have already been fixed in the latest release (2.17.1)
> Interpolations in config file stop functioning when JndiLookup.class is
> removed
> -------------------------------------------------------------------------------
>
> Key: LOG4J2-3311
> URL: https://issues.apache.org/jira/browse/LOG4J2-3311
> Project: Log4j 2
> Issue Type: Bug
> Components: Lookups
> Affects Versions: 2.16.0
> Reporter: Danny Brugman
> Priority: Major
>
> A commonly used mitigation for CVE-2021-44228 for systems that cannot be
> updated (yet) is to remove the JndiLookup.class from the log4j-core jar. This
> should not have any adverse effects besides disabling JNDI lookups altogether.
> However, with version 2.16.0, interpolations/lookups in config files no
> longer work when the JndiLookup.class is removed. Although the latest log4j
> releases should completely fix the 'log4shell' issue, there are many users
> who don't feel comfortable, and who will still remove the JndiLookup.class
> 'just to be sure'.
> The consequence is that log files might get written to unexpected
> directories, using unexpected file names, etc. which might break log
> aggregation, which is a security concern in itself.
> I think all fixes for the recent log4j security problems should be 'backward
> compatible' with earlier suggested fixes and workarounds.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
