[ https://issues.apache.org/jira/browse/LOG4J2-3242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462828#comment-17462828 ]
ASF subversion and git services commented on LOG4J2-3242: --------------------------------------------------------- Commit bf8ba18f63ab9f9ffd54387c5c527ecc7a681037 in logging-log4j2's branch refs/heads/log4j-2.12 from Gary Gregory [ https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=bf8ba18 ] [LOG4J2-3242] Limit JNDI to the java protocol only. (#645) * [LOG4J2-3242] Limit JNDI to the java protocol only. JNDI will remain disabled by default. The enablement property has been renamed to 'log4j2.enableJndiJava'. * Do not declare log4j-api-java9 and log4j-core-java9 as depdendencies as it causes problems with the Maven enforcer plugin. I'm not updating changes.xml to avoid git conflicts. * [LOG4J2-3242] Limit JNDI to the java protocol only. JNDI will remain disabled by default. The enablement property has been renamed to 'log4j2.enableJndiJava'. Oops, add missing test fixture for RoutingAppenderWithJndiTest. > Limit JNDI to the java protocol only > ------------------------------------ > > Key: LOG4J2-3242 > URL: https://issues.apache.org/jira/browse/LOG4J2-3242 > Project: Log4j 2 > Issue Type: Bug > Components: Core > Affects Versions: 2.16.0 > Reporter: Ralph Goers > Priority: Major > Fix For: 2.17.1 > > > The use of JNDI to access anything besides the java protocol has proven to be > insecure. Use of anything but that must be disabled. JNDI needs to remain > disabled by default. -- This message was sent by Atlassian Jira (v8.20.1#820001)