Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-1958

Deprecate SerializedLayout and remove it as default

    XMLWordPrintableJSON

Details

    • Task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.8.2
    • 2.9.0
    • Appenders, Layouts
    • None

    Description

      Due to inherent security weakness of Java object serialization, see https://www.owasp.org/index.php/Deserialization_of_untrusted_data, we should deprecate SerializedLayout and discourage its use. We should also remove it as default from the appenders which currently has it:

      • SocketAppender
      • JmsAppender

      For the time being, we can recommend using JsonLayout as a replacement.

      Attachments

        Issue Links

          causes

          Question - A formal question. Initially added for the Legal JIRA. LOG4J2-2411 error - No layout provided

          • Major - Major loss of function.
          • Closed
          is related to

          New Feature - A new feature of the product, which has yet to be developed. LOG4J2-1863 Add support for filtering input in TcpSocketServer and UdpSocketServer

          • Major - Major loss of function.
          • Closed
          relates to

          New Feature - A new feature of the product, which has yet to be developed. LOG4J2-1986 Public API for parsing the output from JsonLayout/XmlLayout/YamlLayout into a LogEvent

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. LOG4J2-2020 Remove default layout from KafkaAppender

          • Major - Major loss of function.
          • Closed

          Activity

            People

              mikaelstaldal Mikael Ståldal
              mikaelstaldal Mikael Ståldal
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: