[LOG4J2-3208] Disable JNDI by default - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Story
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.15.0
Fix Version/s: 2.16.0
Component/s: Core
Labels:
None

Description

Dealing with CVE-2021-44228 has shown the JNDI has significant security issues. While we have mitigated what we are aware of it would be safer for users to completely disable it by default, especially since the large majority are unlikely to be using it. Those who are will need to specify -Dlog4j2.enableJndi=true or the environment variable form of it to use any JNDI components.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Ralph Goers

Votes:: 0 Vote for this issue

Watchers:: 12 Start watching this issue

Dates

Created:: 11/Dec/21 16:41

Updated:: 19/Dec/21 02:00

Resolved:: 14/Dec/21 11:23