Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-1959

Disable DTD processing in XML configuration files

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.8.2
    • Fix Version/s: 2.9.0
    • Component/s: Configurators
    • Labels:
      None

      Description

      For security reasons, DTD processing should be disabled when parsing XML configuration files.

        Activity

        Hide
        mikaelstaldal Mikael Ståldal added a comment -

        In Git master.

        Show
        mikaelstaldal Mikael Ståldal added a comment - In Git master.
        Hide
        bmartin Brian Martin added a comment -

        Can you clarify the potential attack vector? Can a lower privileged user upload a configuration file or somehow inject a file into Log4J's process? Or is this a "just in case" / defense-in-depth fix. I couldn't find a commit to look into this more.

        Show
        bmartin Brian Martin added a comment - Can you clarify the potential attack vector? Can a lower privileged user upload a configuration file or somehow inject a file into Log4J's process? Or is this a "just in case" / defense-in-depth fix. I couldn't find a commit to look into this more.
        Hide
        mikaelstaldal Mikael Ståldal added a comment -

        Lower privileged users are not supposed to upload a configuration files to Log4j.

        This is a "just in case" / defence-in-depth fix.

        It is possible to upload configuration via JMX, but you are not supposed to give lower privileged users access to JMX.

        Show
        mikaelstaldal Mikael Ståldal added a comment - Lower privileged users are not supposed to upload a configuration files to Log4j. This is a "just in case" / defence-in-depth fix. It is possible to upload configuration via JMX , but you are not supposed to give lower privileged users access to JMX.

          People

          • Assignee:
            mikaelstaldal Mikael Ståldal
            Reporter:
            mikaelstaldal Mikael Ståldal
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development