[LOG4J2-3293] JDBC Appender should use JNDI Manager and JNDI access should be limited. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.17.0, 2.12.3, 2.3.1
Fix Version/s: 2.17.1, 2.3.2, 2.12.4
Component/s: Appenders
Labels:
None

Description

JDBC Appender should use JndiManager when accessing JNDI. JNDI access should be controlled via a system property.

Related to CVE-2021-44832 where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

Fixed in https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16

Attachments

Activity

People

Assignee:: Gary D. Gregory

Reporter:: Ralph Goers

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 28/Dec/21 18:59

Updated:: 03/Jan/22 18:15

Resolved:: 28/Dec/21 19:30