[jira] [Commented] (LOG4J2-3371) Log Injection Vulnerability exists in Log4j2 default configuration

[ https://issues.apache.org/jira/browse/LOG4J2-3371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17490694#comment-17490694 ] Ralph Goers commented on LOG4J2-3371: - [~ggregory] We certainly could escape all control characters.

[jira] [Commented] (LOG4J2-3371) Log Injection Vulnerability exists in Log4j2 default configuration

[ https://issues.apache.org/jira/browse/LOG4J2-3371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17490551#comment-17490551 ] 4ra1n commented on LOG4J2-3371: --- In fact, for this problem, there are corresponding reasons for publishing

[jira] [Commented] (LOG4J2-3371) Log Injection Vulnerability exists in Log4j2 default configuration

[ https://issues.apache.org/jira/browse/LOG4J2-3371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17490479#comment-17490479 ] Gary D. Gregory commented on LOG4J2-3371: - If we were to allow for stripping out control

[jira] [Commented] (LOG4J2-3371) Log Injection Vulnerability exists in Log4j2 default configuration

[ https://issues.apache.org/jira/browse/LOG4J2-3371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17490449#comment-17490449 ] Ralph Goers commented on LOG4J2-3371: - [~mattsicker] The fix for the PatternLayout requires more

[jira] [Commented] (LOG4J2-3371) Log Injection Vulnerability exists in Log4j2 default configuration

[ https://issues.apache.org/jira/browse/LOG4J2-3371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17490415#comment-17490415 ] Matt Sicker commented on LOG4J2-3371: - I doubt the PMC would approve of publishing a CVE for this.

[jira] [Commented] (LOG4J2-3371) Log Injection Vulnerability exists in Log4j2 default configuration

[ https://issues.apache.org/jira/browse/LOG4J2-3371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17490041#comment-17490041 ] 4ra1n commented on LOG4J2-3371: --- Yes, for example, if other projects using log4j have log injection in

[jira] [Commented] (LOG4J2-3371) Log Injection Vulnerability exists in Log4j2 default configuration

[ https://issues.apache.org/jira/browse/LOG4J2-3371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17490027#comment-17490027 ] Ralph Goers commented on LOG4J2-3371: - I personally do not consider this to be worthy of a CVE. I do

[jira] [Commented] (LOG4J2-3371) Log Injection Vulnerability exists in Log4j2 default configuration

[ https://issues.apache.org/jira/browse/LOG4J2-3371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17489986#comment-17489986 ] 4ra1n commented on LOG4J2-3371: --- At your convenience, would you please let me know what you think of this?

[jira] [Commented] (LOG4J2-3371) Log Injection Vulnerability exists in Log4j2 default configuration

[ https://issues.apache.org/jira/browse/LOG4J2-3371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17484040#comment-17484040 ] 4ra1n commented on LOG4J2-3371: --- Thank you for your reply. Layouts using JsonTemplateLayout and GelfLayout

[jira] [Commented] (LOG4J2-3371) Log Injection Vulnerability exists in Log4j2 default configuration

[ https://issues.apache.org/jira/browse/LOG4J2-3371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17483874#comment-17483874 ] Ralph Goers commented on LOG4J2-3371: - This is very dependent on the layout you use. If you use