Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
The method org.apache.logging.log4j.core.util.NetUtils.getLocalIps() is error-prone:
- It does not document in which format the returned IP addresses are. IPv6 addresses are not enclosed in square brackets, and may have an optional scope id, e.g. 1080:0:0:0:8:800:200C:417A%eth3. This should be documented because some callers might expect enclosing square brackets.
- It does not include the short form of the IPv6 loopback address: ::1
- Its results include temporary IP addresses. This causes the following issues, when during the runtime of an application the IP addresses are re-assigned by the provider:
- If the results of getLocalIps() were cached, parts of the application might break due to IP address change, because the newly assigned IP address is not considered a 'local IP' anymore.
- It might allow circumventing IP address filters when a malicious actor manages to get the previous IP address as their new address.
NetUtils.getLocalIps() was only introduced for JndiManager, however with the recent changes the method does not appear to be used anymore (see LOG4J2-3242). Therefore, it might also be an option to remove the method again.