[jira] [Updated] (LOG4J2-1226) Message instances are simply serialized. They mustn't.

Mon, 21 Dec 2015 02:59:03 -0800 

     [ 
https://issues.apache.org/jira/browse/LOG4J2-1226?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Joern Huxhorn updated LOG4J2-1226:
----------------------------------
    Description: 
Right now, any Message instance used to call any log method are simply sent as 
they are.

Instead, the {{Throwable}} must be transformed into a {{ThrowableProxy}}. 
Custom {{Message}} implementations must be transformed into one of log4j's 
standard message implementations and care must be taken to convert the 
{{Parameters}} {{Object[]}} into {{String[]}} before the message is serialized.

Otherwise, deserialization will fail if a custom {{Throwable}}, custom 
{{Message}} or custom parameter is not contained in the classpath of the 
application receiving the serialized {{LogEvent}}.

I found those issues while implementing the circumvention for [Apache Commons 
statement to widespread Java object de-serialisation 
vulnerability|https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread]
 in [Lilith|http://lilithapp.com].

> Message instances are simply serialized. They mustn't.
> ------------------------------------------------------
>
>                 Key: LOG4J2-1226
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1226
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: API
>    Affects Versions: 2.5
>            Reporter: Joern Huxhorn
>
> Right now, any Message instance used to call any log method are simply sent 
> as they are.
> Instead, the {{Throwable}} must be transformed into a {{ThrowableProxy}}. 
> Custom {{Message}} implementations must be transformed into one of log4j's 
> standard message implementations and care must be taken to convert the 
> {{Parameters}} {{Object[]}} into {{String[]}} before the message is 
> serialized.
> Otherwise, deserialization will fail if a custom {{Throwable}}, custom 
> {{Message}} or custom parameter is not contained in the classpath of the 
> application receiving the serialized {{LogEvent}}.
> I found those issues while implementing the circumvention for [Apache Commons 
> statement to widespread Java object de-serialisation 
> vulnerability|https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread]
>  in [Lilith|http://lilithapp.com].



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-dev-h...@logging.apache.org

Reply via email to