I think we have a misunderstanding, Remko. I indeed proposed removing *"message
lookups"*, that is, lookup interpolation in log messages. I don't want to
remove other usages of lookups.
In particular, as of date, message lookups are only used by PatternLayout.
Hence, my proposal is to remove them
I agree with Remko, we should not drop look ups altogether, they are too
useful. Dropping them from parameter parsing is ok at first glance.
Gary
On Fri, Dec 10, 2021, 05:50 Remko Popma wrote:
> I would say no. Lookups are very powerful and useful.
> We could consider removing JNDI lookups.
>
>
I would say no. Lookups are very powerful and useful.
We could consider removing JNDI lookups.
The biggest problem however is that the lookups are applied to the logging
message *parameters*.
The logging message is controlled by the application, so any lookups there
should be fine or at least any
Shall we completely remove message lookups (which are only used by
PatternLayout) in master?
Severity: critical
Description:
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and
parameters do not protect against attacker controlled LDAP and other JNDI
related endpoints. An attacker who can control log messages or log message
parameters can execute arbitrary co
The Apache Log4j 2 team is pleased to announce the Log4j 2.15.0 release!
Apache Log4j is a well known framework for logging application behavior. Log4j
2 is an upgrade to Log4j that provides significant improvements over its
predecessor, Log4j 1.x, and provides many other modern features such as
