[KARAF-7061] Add default message escaping for Log4J2 configuration to help prevent log injection attacks - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 4.3.0, 4.2.10
Fix Version/s: 4.2.11, 4.3.1
Component/s: karaf
Labels:
None

Target Version/s:

4.2.11, 4.3.1

Description

As recommended in
https://www.linuxsecrets.com/owasp-wiki/index.php/Injection_Prevention_Cheat_Sheet_in_Java.html#Example_using_Log4j2
to prevent log injections of CRLF or HTML code (which could be exploited if the logs are displayed in an HTML page), we should change the default log4j2 pattern in Karaf from:

log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} - %X{bundle.name} - %X{bundle.version} | %m%n

to something like this:

log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} - %X{bundle.name} - %X{bundle.version} | %encode{%.-500m}%n

See :

This would limit the message to 500 characters to prevent sending huge messages and will turn on the default HTML escaping which escapes for CRLF and any HTML tags such as <script>

Attachments

Activity

People

Assignee:: Jean-Baptiste Onofré

Reporter:: Serge Huber

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 05/Mar/21 10:18

Updated:: 06/Mar/21 05:30

Resolved:: 06/Mar/21 05:30