Given the inherent security problems with Java object serialization (highlighted by CVE-2017-5645), I do suggest that we deprecate SerializedLayout and remove it as default for SocketAppender, and all other appenders which currently have it as default. (We can still keep SerializedLayout, with a warning about security issues in documentation, but users will have to enable it explicitly.)
Some people have missed the fact that you can configure SocketAppender with another layout. I suggest we do this in the 2.9 release. I know this will break some existing configurations, but given the security problems, I think that is a price we have to pay in this case. We have a JIRA ticket for a new Avro based binary layout: https://issues.apache.org/jira/browse/LOG4J2-1871 If we implement that in time for 2.9, we can recommend it as a replacement for SerializedLayout. If not, we could recommend JsonLayout which should contain all necessary information. -- [image: MagineTV] *Mikael Ståldal* Senior software developer *Magine TV* [email protected] Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com Privileged and/or Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such a person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email.
