Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-1958

Deprecate SerializedLayout and remove it as default

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.8.2
    • Fix Version/s: 2.9.0
    • Component/s: Appenders, Layouts
    • Labels:
      None

      Description

      Due to inherent security weakness of Java object serialization, see https://www.owasp.org/index.php/Deserialization_of_untrusted_data, we should deprecate SerializedLayout and discourage its use. We should also remove it as default from the appenders which currently has it:

      • SocketAppender
      • JmsAppender

      For the time being, we can recommend using JsonLayout as a replacement.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mikaelstaldal Mikael Ståldal
                Reporter:
                mikaelstaldal Mikael Ståldal
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: