Our latest release, 2.16.0, completely removes the message lookup
functionality which makes it impossible to inadvertently re-enable.
On Mon, Dec 13, 2021 at 4:58 PM Dash a wrote:
>
> Hello,
> Thanks for the explanation. It is a bit more relaxing.
>
> As for current concerns - upon a bit of thoug
Hello,
Thanks for the explanation. It is a bit more relaxing.
As for current concerns - upon a bit of thought i see it as concerning if
the current implementation doesn't warn the user when it is enabled.
This can present issue in auditing or false negative result in case of
supply chain attack/l
JNDI was only part of the issue but we did indeed seek to sanitize JNDI as much
as we could in 2.15.0. However, we felt it best to disable it by default in
2.16.0 so
that it would be more difficult to accidentally use. We will continue to look
to improve
that sanitization logic so that users w
Hi Daniel,
The plan is to disable lookups in log messages completely in the next Log4j
release.
If you can tell us your concrete use case we may be able to advise on how
to implement it safely.
Lookups in configuration will continue to work (but JNDI will require an
extra setting to be enabled).
Hello,
Sorry to strom in for a disscusion that probably happened internally but
correct me if I am wrong the solution offered doesn't seems to fix the
original issue which appear to be due to lack of sanitization but rather
disable it by default
This seems a bit lacking if it is the case as if so
