logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mikael Ståldal (JIRA) <j...@apache.org>
Subject [jira] [Comment Edited] (LOG4J2-1226) Message instances are simply serialized. They mustn't.
Date Fri, 22 Jul 2016 11:50:20 GMT

    [ https://issues.apache.org/jira/browse/LOG4J2-1226?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15389229#comment-15389229
] 

Mikael Ståldal edited comment on LOG4J2-1226 at 7/22/16 11:49 AM:
------------------------------------------------------------------

This is *not* an async processing issue in the same way. In async processing (AsyncAppender
and async loggers), the log events are serialized and deserialized in the same JVM with the
same class loader, so you do not get the same issues as when using SerializedLayout and sending
it to a remote process. You don't get the ClassNotFound problems with custom Throwables and
Messages in async processing.



was (Author: mikaelstaldal):
This is an async processing issue in the same way. In async processing (AsyncAppender and
async loggers), the log events are serialized and deserialized in the same JVM with the same
class loader, so you do not get the same issues as when using SerializedLayout and sending
it to a remote process. You don't get the ClassNotFound problems with custom Throwables and
Messages in async processing.


> Message instances are simply serialized. They mustn't.
> ------------------------------------------------------
>
>                 Key: LOG4J2-1226
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1226
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: API
>    Affects Versions: 2.5
>            Reporter: Joern Huxhorn
>
> Right now, any Message instance used to call any log method are simply sent as they are.
> Instead, the {{Throwable}} must be transformed into a {{ThrowableProxy}}. Custom {{Message}}
implementations must be transformed into one of log4j's standard message implementations and
care must be taken to convert the {{Parameters}} {{Object[]}} into {{String[]}} before the
message is serialized.
> Otherwise, deserialization will fail if a custom {{Throwable}}, custom {{Message}} or
custom parameter is not contained in the classpath of the application receiving the serialized
{{LogEvent}}.
> I found those issues while implementing the circumvention for [Apache Commons statement
to widespread Java object de-serialisation vulnerability|https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread]
in [Lilith|http://lilithapp.com].



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org


Mime
View raw message