[
https://issues.apache.org/jira/browse/LOG4J2-3294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ralph Goers closed LOG4J2-3294.
-------------------------------
Resolution: Not A Problem
JNDI is in the library because it is still used by JEE applications as well as
JMS and JDBC in some circumstances. I would guess well over 80% of Log4j users
use property substitution (although Matt's guess is probably closer).
Log4j 2.17.2 has fixed property substitution so that Lookup recursion is no
longer necessary or allowed.
I am closing this since a) it covers multiple topics and b) everything
mentioned has been covered to the degree it needs to be.
> Default to having placeholders off in log4j and remove JDNI lookups
> -------------------------------------------------------------------
>
> Key: LOG4J2-3294
> URL: https://issues.apache.org/jira/browse/LOG4J2-3294
> Project: Log4j 2
> Issue Type: Improvement
> Components: Appenders
> Affects Versions: 2.13.0, 2.14.0, 2.15.0, 2.16.0, 2.17.0
> Environment: Java 17
> Reporter: jamie fisher
> Priority: Critical
>
> Log4j keeps having RCE bugs and security issues relating to placeholders
> ${like:this}
> Normally when a product has multiple severe security problems we would just
> use something else, but for many people they cannot change to another less
> bloated logger.
> My proposal is to {*}completely remove JDNI{*}, which leads to arbitrary code
> execution ({+}why is this in a logging library?{+}). This feature is used by
> less than 0.001% of log4j users (in my measurements).
> My second proposal is to have features such as placeholders +disabled by
> default+ (it is rare that these are needed under normal circumstances, their
> parsing is slow and has posed several security issues in the past)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
