I've not seen much speculation on how this bug was created in the first place, so I'll take a guess here:
On https://logging.apache.org/log4j/2.x/manual/lookups.html it says: "Lookups provide a way to add values to the Log4j configuration at arbitrary places." I think, the person/team that implemented the Lookup feature never indented it to be used outside of the configuration files, which are clearly part of the codebase and therefore trusted. I can fully understand why this is seen as a useful feature.
Then someone else came, saw that there's a useful feature that allows to automatically extend stuff like the request URL in a log message, and embedded that in the log message parser. I don't think this should ever have been implemented, and surely not enabled by default. Even if there was no LDAP remote code execution (ok, we can blame Java for this) or JNDI lookups (which can leak data to the outside), this lets user provided input be used as a query to all the stuff that can be inserted by Lookups (environment vars, request headers, JVM arguments, ...) For example, someone who just has access to the logs can use this to query secrets stored in the environment of the app.
On https://logging.apache.org/log4j/2.x/manual/lookups.html it says: "Lookups provide a way to add values to the Log4j configuration at arbitrary places." I think, the person/team that implemented the Lookup feature never indented it to be used outside of the configuration files, which are clearly part of the codebase and therefore trusted. I can fully understand why this is seen as a useful feature.
Then someone else came, saw that there's a useful feature that allows to automatically extend stuff like the request URL in a log message, and embedded that in the log message parser. I don't think this should ever have been implemented, and surely not enabled by default. Even if there was no LDAP remote code execution (ok, we can blame Java for this) or JNDI lookups (which can leak data to the outside), this lets user provided input be used as a query to all the stuff that can be inserted by Lookups (environment vars, request headers, JVM arguments, ...) For example, someone who just has access to the logs can use this to query secrets stored in the environment of the app.