svn commit: r1054231 - /websites/production/logging/content/log4j/log4j-1.2.17/index.html

Wed, 18 Dec 2019 14:43:43 -0800 

Author: rgoers
Date: Wed Dec 18 22:43:18 2019
New Revision: 1054231

Log:
Add description of exploit

Modified:
    websites/production/logging/content/log4j/log4j-1.2.17/index.html

Modified: websites/production/logging/content/log4j/log4j-1.2.17/index.html
==============================================================================
--- websites/production/logging/content/log4j/log4j-1.2.17/index.html (original)
+++ websites/production/logging/content/log4j/log4j-1.2.17/index.html Wed Dec 
18 22:43:18 2019
@@ -155,7 +155,8 @@
           <div class="section">
               <h2>End of Life</h2><p>On August 5, 2015 the Logging Services 
Project Management Committee announced that Log4j 1.x had reached end of life. 
For complete text of the announcement please see the <a 
href="http://blogs.apache.org/foundation/entry/apache_logging_services_project_announces";>Apache
 Blog</a>. Users of Log4j 1 are recommended to upgrade to <a 
class="externalLink" 
href="http://logging.apache.org/log4j/2.x/index.html";>Apache Log4j 2</a>.</p>
               <h2>Security Vulnerabilities</h2>
-                <p>A security vulnerability, <a 
href="https://www.cvedetails.com/cve/CVE-2019-17571/";>CVE-2019-17571</a> has 
been identified against Log4j 1. Since Log4j 1 is no longer maintained this 
issue will not be fixed. Users are urged to upgrade to Log4j 2.</p>
+                <p>A security vulnerability, <a 
href="https://www.cvedetails.com/cve/CVE-2019-17571/";>CVE-2019-17571</a> has 
been identified against Log4j 1. Log4j includes a SocketServer that accepts 
serialized log events and deserializes them without verifying whether the 
objects are allowed or not. 
+                This can provide an attack vector that can be expoited. Since 
Log4j 1 is no longer maintained this issue will not be fixed. Users are urged 
to upgrade to Log4j 2.</p>
               <h2>Java Version Incompatibilities</h2>
                 <p>The version detection algorithm changed in Java 9 which 
causes the MDC not to work properly. See <a 
href="https://blogs.apache.org/logging/entry/moving_on_to_log4j_2";>Log4j 1.2 is 
broken on Java 9</a> for details.</p>
               <h2>Apache log4j&#x2122; 1.2<a 
name="Apache_log4j_1.2"></a></h2><p>Welcome to Apache log4j, a logging library 
for Java. Apache log4j is an Apache Software Foundation Project and developed 
by a dedicated team of Committers of the Apache Software Foundation. For more 
info, please see <a class="externalLink" href="http://www.apache.org";>The 
Apache Software Foundation</a>. Apache log4j is also part of a project which is 
known as <a class="externalLink" href="http://logging.apache.org";>Apache 
Logging</a>. Please see the <a href="/license.html">License</a>.</p><p>If you 
are interested in the recent changes, visit our <a 
href="/changes-report.html">changes report</a>.</p>

Reply via email to