[
https://issues.apache.org/jira/browse/LOG4J2-3360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17524572#comment-17524572
]
ASF subversion and git services commented on LOG4J2-3360:
---------------------------------------------------------
Commit e5576ed33962d188aba6623809740d233216e125 in logging-log4j2's branch
refs/heads/release-2.x from Volkan Yazıcı
[ https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=e5576ed339 ]
LOG4J2-3360 Add OSSF Scorecards GitHub Action.
> Document unsafe lookup usage patterns
> -------------------------------------
>
> Key: LOG4J2-3360
> URL: https://issues.apache.org/jira/browse/LOG4J2-3360
> Project: Log4j 2
> Issue Type: Improvement
> Reporter: Volkan Yazici
> Priority: Major
> Fix For: 2.17.3
>
>
> The recent CVE storm has proven that lookups are employed by users in many
> places where they shouldn't. In particular, lookups depending on
> {{LogEvent}}'s (e.g., {{ctx}}) are honey pots for attackers and there are
> safer ways to expose the very same information via more native constructs,
> e.g., MDC accessors in {{PatternLayout}} and {{JsonTemplateLayout}}. This
> story aims to enrich the lookup and certain layout documentations with such
> best practices.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
