[
https://issues.apache.org/jira/browse/LOG4J2-3208?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459857#comment-17459857
]
Remko Popma commented on LOG4J2-3208:
-------------------------------------
[~dcieslak] No, unfortunately this mitigation (setting environment variable
{{LOG4J_FORMAT_MSG_NO_LOOKUPS=true}} is NOT a recommended measure any more. We
found that it is possible for attackers to circumvent this.
The security page (https://logging.apache.org/log4j/2.x/security.html) has been
updated to reflect this.
The *only* valid mitigation is upgrading to Log4j 2.16.0+ or removing the
JndiLookup class from the log4j-core JAR.
> Disable JNDI by default
> -----------------------
>
> Key: LOG4J2-3208
> URL: https://issues.apache.org/jira/browse/LOG4J2-3208
> Project: Log4j 2
> Issue Type: Story
> Components: Core
> Affects Versions: 2.15.0
> Reporter: Ralph Goers
> Priority: Major
> Fix For: 2.16.0
>
>
> Dealing with CVE-2021-44228 has shown the JNDI has significant security
> issues. While we have mitigated what we are aware of it would be safer for
> users to completely disable it by default, especially since the large
> majority are unlikely to be using it. Those who are will need to specify
> -Dlog4j2.enableJndi=true or the environment variable form of it to use any
> JNDI components.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
