[
https://issues.apache.org/jira/browse/LOG4J2-3208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gary D. Gregory updated LOG4J2-3208:
------------------------------------
Description: Dealing with CVE-2021-44228 has shown the JNDI has significant
security issues. While we have mitigated what we are aware of it would be safer
for users to completely disable it by default, especially since the large
majority are unlikely to be using it. Those who are will need to specify
-Dlog4j2.enableJndi=true or the environment variable form of it to use any JNDI
components. (was: Dealing with CVE-2021-4422 has shown the JNDI has
significant security issues. While we have mitigated what we are aware of it
would be safer for users to completely disable it by default, especially since
the large majority are unlikely to be using it. Those who are will need to
specify -Dlog4j2.enableJndi=true or the environment variable form of it to use
any JNDI components.)
> Disable JNDI by default
> -----------------------
>
> Key: LOG4J2-3208
> URL: https://issues.apache.org/jira/browse/LOG4J2-3208
> Project: Log4j 2
> Issue Type: Story
> Components: Core
> Affects Versions: 2.15.0
> Reporter: Ralph Goers
> Priority: Major
> Fix For: 2.16.0
>
>
> Dealing with CVE-2021-44228 has shown the JNDI has significant security
> issues. While we have mitigated what we are aware of it would be safer for
> users to completely disable it by default, especially since the large
> majority are unlikely to be using it. Those who are will need to specify
> -Dlog4j2.enableJndi=true or the environment variable form of it to use any
> JNDI components.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
