Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-1958

Deprecate SerializedLayout and remove it as default

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.8.2
    • Fix Version/s: 2.9.0
    • Component/s: Appenders, Layouts
    • Labels:
      None

      Description

      Due to inherent security weakness of Java object serialization, see https://www.owasp.org/index.php/Deserialization_of_untrusted_data, we should deprecate SerializedLayout and discourage its use. We should also remove it as default from the appenders which currently has it:

      • SocketAppender
      • JmsAppender

      For the time being, we can recommend using JsonLayout as a replacement.

        Issue Links

          Activity

          Hide
          garydgregory Gary Gregory added a comment -

          Should we log a status logger warning if a SerializedLayout is used?

          Show
          garydgregory Gary Gregory added a comment - Should we log a status logger warning if a SerializedLayout is used?
          Hide
          mikaelstaldal Mikael Ståldal added a comment -

          Yes, that could be a good idea.

          Show
          mikaelstaldal Mikael Ståldal added a comment - Yes, that could be a good idea.
          Hide
          mikaelstaldal Mikael Ståldal added a comment -

          See Git branch LOG4J2-1958.

          Show
          mikaelstaldal Mikael Ståldal added a comment - See Git branch LOG4J2-1958 .
          Hide
          jvz Matt Sicker added a comment -

          Said status logger message might want to include a link to more information about the general object deserialization exploits in Java besides linking our CVE.

          Show
          jvz Matt Sicker added a comment - Said status logger message might want to include a link to more information about the general object deserialization exploits in Java besides linking our CVE.
          Hide
          mikaelstaldal Mikael Ståldal added a comment -

          In Git master.

          Show
          mikaelstaldal Mikael Ståldal added a comment - In Git master.
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 70677348c98b51e6bbe73466a66b77301c1b71df in logging-log4j2's branch refs/heads/master from Gary Gregory
          [ https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=7067734 ]

          LOG4J2-1958 Deprecate SerializedLayout and remove it as default.

          Show
          jira-bot ASF subversion and git services added a comment - Commit 70677348c98b51e6bbe73466a66b77301c1b71df in logging-log4j2's branch refs/heads/master from Gary Gregory [ https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=7067734 ] LOG4J2-1958 Deprecate SerializedLayout and remove it as default.

            People

            • Assignee:
              mikaelstaldal Mikael Ståldal
              Reporter:
              mikaelstaldal Mikael Ståldal
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development