[
https://issues.apache.org/jira/browse/LOG4J2-3383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17485415#comment-17485415
]
Ralph Goers edited comment on LOG4J2-3383 at 2/1/22, 6:45 PM:
--------------------------------------------------------------
CVE-2017-5645 started our hunt for Serialization/Deserialization issues within
Log4j. The change that causes the error message you get wasn't a direct result
of that CVE but a bug we found as a result of the fix from that CVE. Note that
LOG4j2-1958 deprecated SerializedLayout. Today we recommend using
JsonTemplateLayout.
Relevant Jira issues:
https://issues.apache.org/jira/browse/LOG4J2-1958,
https://issues.apache.org/jira/browse/LOG4J2-1863, and
https://issues.apache.org/jira/browse/LOG4J2-2163
Log4j 2 doesn't provide a JMS Sink/Server. How to use a
FilteredObjectInputStream would require knowing what JMS server you are using.
Note that if you are using Java 9 or greater you can also use the JDK's
ObjectInputFilter. I wouldn't be surprised if third party tooling automatically
uses that.
Note that XML is perfectly valid inside of JSON so long as it is treated as a
Java String when the JSON is constructed.
For the benefit of [~ggregory] this behavior seems to have been added in Log4j
2.10.0.
was (Author: ralph.go...@dslextreme.com):
CVE-2017-5645 started our hunt for Serialization/Deserialization issues within
Log4j. The change that causes the error message you get wasn't a direct result
of that CVE but a bug we found as a result of the fix from that CVE. Note that
LOG4j2-1958 deprecated SerializedLayout. Today we recommend using
JsonTemplateLayout.
Relevant Jira issues:
https://issues.apache.org/jira/browse/LOG4J2-1958,
https://issues.apache.org/jira/browse/LOG4J2-1863, and
https://issues.apache.org/jira/browse/LOG4J2-2163
Log4j 2 doesn't provide a JMS Sink/Server. How to use a
FilteredObjectInputStream would require knowing what JMS server you are using.
Note that if you are using Java 9 or greater you can also use the JDK's
ObjectInputFilter. I wouldn't be surprised if third party tooling automatically
uses that.
Note that XML is perfectly valid inside of JSON so long as it is treated as a
Java String when the JSON is constructed.
> JMS Log deserialization is failing on jboss eap after upgrade to 2.17.1
> -----------------------------------------------------------------------
>
> Key: LOG4J2-3383
> URL: https://issues.apache.org/jira/browse/LOG4J2-3383
> Project: Log4j 2
> Issue Type: Question
> Components: Appenders
> Affects Versions: 2.17.1
> Environment: JBoss EAP 7.2.0 on linux and windows.
> Jboss is using JMS client lib: artemis-jms-client-2.6.3.redhat-00014
> Reporter: leor amikam
> Priority: Critical
>
> We upgraded log4j2 from 2.9.0 to 2.17.1. Using the JMS appender. In our
> onMessage JMS handler, we have the following:
>
> {code:java}
> ObjectMessage objMessage = (ObjectMessage) message;
> LogEvent ev = (LogEvent) objMessage.getObject();
>
> {code}
>
> The cast to the LogEvent is now throwing this exception:
> {code:java}
> javax.jms.JMSException: readObject requires a FilteredObjectInputStream or an
> ObjectInputStream that accepts an ObjectInputFilter{code}
>
> Here is the lo4j2.xml config for the appender
>
> <JMS name="AuditAppender"
> destinationBindingName="jms/queue/AuditQueue"
> factoryBindingName="jms/RemoteConnectionFactory"
> providerURL="http-remoting://127.0.0.1:8080"
> username="xxxx"
> password="xxxx"
>
> factoryName="org.wildfly.naming.client.WildFlyInitialContextFactory" >
> <SerializedLayout />
> </JMS>
> <Logger name="AuditLogger" level="OFF" additivity="false">
> <AppenderRef ref="AuditAppender"/>
> </Logger>
>
> None of the underlying code has changed other than the log4j2 upgrade. Any
> suggestions?
> Thanks!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
