SpComb edited a comment on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993560912
> I'm not quite sure what that means or where we should continue the discussion about that, if it s a new attack vector etc. This should really have been reported privately, or at the minimum via a separate GitHub issue, rather than via a public GitHub PR comment. For anyone else that may come across similar follow-up issues, I suggest you follow the instructions on the log4j project website, and use the priv...@logging.apache.org email address: https://logging.apache.org/log4j/2.x/security.html > If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the [Log4j Security Team](priv...@logging.apache.org). Thank you. If this does turn out to be a new attack vector, it probably needs a new CVE number. I've attempted to contact the relevant security contacts to take this further, I don't know what else to do. EDIT: https://issues.apache.org/jira/browse/LOG4J2-3221 new Jira ticket for tracking this issue, which strictly speaking isn't relevant to the JNDI restrictions in this PR. The `log4j2.allowedJndiProtocols/Hosts/Classes` defaults implemented in https://github.com/apache/logging-log4j2/pull/608 / 2.15.0 are good, and the `log4j2.enableJndi=false` default in https://github.com/apache/logging-log4j2/commit/44569090f1cf1e92c711fb96dfd18cd7dccc72ea / 2.15.1-rc1 / 2.16.0 is even better. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
