For security reasons, DTD processing should be disabled when parsing XML configuration files.
In Git master.
Can you clarify the potential attack vector? Can a lower privileged user upload a configuration file or somehow inject a file into Log4J's process? Or is this a "just in case" / defense-in-depth fix. I couldn't find a commit to look into this more.
Lower privileged users are not supposed to upload a configuration files to Log4j.
This is a "just in case" / defence-in-depth fix.
It is possible to upload configuration via JMX, but you are not supposed to give lower privileged users access to JMX.