[
https://issues.apache.org/jira/browse/LOG4J2-1226?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15066516#comment-15066516
]
Joern Huxhorn commented on LOG4J2-1226:
---------------------------------------
I do have a stacktrace but it's in Lilith so it won't be of much help for you.
{{MapMessage}}, {{MessageFormatMessage}}, {{ParameterizedMessage}},
{{SimpleMessage}}, {{StringFormattedMessage}}, {{StructuredDataMessage}} and
{{ThreadDumpMessage}} work as expected for me.
Serializing will work if the {{Message}} implementation adheres to the contract
of implementing {{Serializable}} (as defined in {{Message}}).
The problem happens on the receiving end of the events. It's especially
problematic if a user implements their own {{Message}} implementation since the
class likely won't be available in the receiving JVM.
A huge problem are also parameters that are simply serialized. This is the case
in {{ObjectArrayMessage}} and {{ObjectMessage}} and will similarly cause a
{{ClassNotFoundException}} during deserialization if a custom class is used as
parameter.
{code:java}
logger.debug(new FormattedMessage("formatted message {} {}", new
Object[]{"foo", "bar"}));
{code}
does not work for me (it causes a closed connection) but I'm not sure why.
{code:java}
logger.debug(new LocalizedMessage("LocalizedMessage %s %s", new Object[]{"foo",
"bar"}));
{code}
simply does not work but isn't closing the connection.
> Message instances are simply serialized. They mustn't.
> ------------------------------------------------------
>
> Key: LOG4J2-1226
> URL: https://issues.apache.org/jira/browse/LOG4J2-1226
> Project: Log4j 2
> Issue Type: Bug
> Components: API
> Affects Versions: 2.5
> Reporter: Joern Huxhorn
>
> Right now, any Message instance used to call any log method are simply sent
> as they are.
> Instead, the {{Throwable}} must be transformed into a {{ThrowableProxy}}.
> Custom {{Message}} implementations must be transformed into one of log4j's
> standard message implementations and care must be taken to convert the
> {{Parameters}} {{Object[]}} into {{String[]}} before the message is
> serialized.
> Otherwise, deserialization will fail if a custom {{Throwable}}, custom
> {{Message}} or custom parameter is not contained in the classpath of the
> application receiving the serialized {{LogEvent}}.
> I found those issues while implementing the circumvention for [Apache Commons
> statement to widespread Java object de-serialisation
> vulnerability|https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread]
> in [Lilith|http://lilithapp.com].
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-dev-h...@logging.apache.org
