Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-3293

JDBC Appender should use JNDI Manager and JNDI access should be limited.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.17.0, 2.12.3, 2.3.1
    • 2.17.1, 2.3.2, 2.12.4
    • Appenders
    • None

    Description

      JDBC Appender should use JndiManager when accessing JNDI. JNDI access should be controlled via a system property.

      Related to CVE-2021-44832 where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

      Fixed in https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16 

      Attachments

        Activity

          People

            ggregory Gary D. Gregory
            rgoers Ralph Goers
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: