Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-2511

Turn Log Injection Defenses On By Default

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 2.11.1
    • None
    • Pattern Converters

    Description

      Per: https://logging.apache.org/log4j/log4j-2.8/manual/layouts.html - there is a new encoding scheme introduced in 2.10.0 (by https://issues.apache.org/jira/browse/LOG4J2-1203) that allows users to encode plain logging output with enc{pattern}{CRLF} to avoid Log Injection attacks (https://www.owasp.org/index.php/Log_Injection). While it is great to have this available, most developers won't be aware of the risk of Log Injection so won't do anything about it.

      I recommend that Log4J2 enable this encoding by default if no other encoding scheme is specified. It shouldn't hurt plain text logging by defending against this attack automatically. However, to allow people to disable it in case they really don't want this I suggest creating an encoding scheme like {NONE} that explicitly disables this new default behavior which people can use to turn it off.

       

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. LOG4J2-3037 Add methods for logging untrusted arguments

          • Major - Major loss of function.
          • Open

          Activity

            People

              Unassigned Unassigned
              davewichers Dave Wichers
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: