[
https://issues.apache.org/jira/browse/LOG4J2-3360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gary D. Gregory updated LOG4J2-3360:
------------------------------------
Fix Version/s: 2.17.3
(was: 2.17.2)
> Document unsafe lookup usage patterns
> -------------------------------------
>
> Key: LOG4J2-3360
> URL: https://issues.apache.org/jira/browse/LOG4J2-3360
> Project: Log4j 2
> Issue Type: Improvement
> Reporter: Volkan Yazici
> Priority: Major
> Fix For: 2.17.3
>
>
> The recent CVE storm has proven that lookups are employed by users in many
> places where they shouldn't. In particular, lookups depending on
> {{LogEvent}}'s (e.g., {{ctx}}) are honey pots for attackers and there are
> safer ways to expose the very same information via more native constructs,
> e.g., MDC accessors in {{PatternLayout}} and {{JsonTemplateLayout}}. This
> story aims to enrich the lookup and certain layout documentations with such
> best practices.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
