Hi, On 1.11.2025 07:22, Charpe, Anil wrote: > I have a couple of question to confirm since when I googled it > mentions that - Yes, exploiting CVE-2025-55754 requires user > interaction and relies on an administrator running an interactive > command console. So, it is creating confusion and ambiguity as to > what is exactly correct ? Kindly clarify & confirm.
The CVE originates from the inherent risks of using *unstructured* log formats such as Tomcat’s default `OneLineFormatter`. Unstructured formats are: - Easy for *humans* to read, but not for *machines* to parse, and - Vulnerable to phishing or social engineering when logs are viewed interactively. While such formats are very convenient for development and testing, I strongly discourage their use in production environments. (See the `PatternLayout` warning in the Log4j manual [1].) The problem is simple: unstructured layouts treat *no* character as special. This means it’s impossible to reliably determine where a log record or any part of it ends, since custom log levels, logger names, thread names, and messages can all include newline and other control characters. That makes them susceptible to log injection and log mangling attacks. As long as your system is not exposed to threat actors, the risk is limited. But for production systems, structured log formats (e.g. RFC 5424, JSON-based ECS, GELF, GCP, etc.) are *strongly* recommended. These have been well supported by log analysis tools for many years. In production, you can consider either of these options: - Use the Tomcat JULI `JSONLayout` introduced in the February 2025 releases [2], or - Replace the JULI backend with an alternative logging implementation such as Log4j Core [3], which offers multiple structured layouts. Note: replacing the Tomcat JULI implementation is straightforward, but using the same logging backend for both Tomcat and web applications requires a bit more setup. I maintain several (admittedly lesser-known) Tomcat components and Log4j Core plugins that simplify this process [4]. A short quick-start guide is available here [5]. Best regards, Piotr [1] https://logging.apache.org/log4j/2.x/manual/pattern-layout.html [2] https://tomcat.apache.org/tomcat-11.0-doc/changelog.html#Tomcat_11.0.4_(markt) [3] https://logging.apache.org/log4j/2.x/jakarta.html#replace [4] https://oss.copernik.eu/tomcat/3.x/ [5] https://oss.copernik.eu/tomcat/3.x/guide --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
