But there *is* an allowed list of Java classes and packages configured in org.apache.logging.log4j.util.FilteredObjectInputStream which the log4j-server module's servers uses through ObjectInputStreamLogEventBridge.
Gary On Thu, Dec 3, 2020 at 10:33 AM Ralph Goers <ralph.go...@dslextreme.com> wrote: > There is a Jira issue to do that but as far as I know the Security bug was > never addressed in that code. In a quick glance at it I still see it > supporting Java serialized objects without any kind of whitelisting. I > don’t see anything in that repo besides the log server and I wouldn’t want > to release something with known security problems. > > Ralph > > > On Dec 3, 2020, at 8:09 AM, Gary Gregory <garydgreg...@gmail.com> wrote: > > > > Hi All: > > > > We've never released from > > https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and I'm > > currently using a SNAPSHOT build. Any thoughts on releasing from there? > > > > Gary > > >
