[logging-log4j-site] branch asf-staging updated: [DOC] Add Work In Progress notice and credit Kai Mindermann

Tue, 14 Dec 2021 07:03:49 -0800 

This is an automated email from the ASF dual-hosted git repository.

rpopma pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
     new c4aafe0  [DOC] Add Work In Progress notice and credit Kai Mindermann
c4aafe0 is described below

commit c4aafe0b3a75f2e42538a9c940c66860f4b7fa83
Author: Remko Popma <rem...@yahoo.com>
AuthorDate: Wed Dec 15 00:03:11 2021 +0900

    [DOC] Add Work In Progress notice and credit Kai Mindermann
---
 log4j-2.16.0/security.html | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/log4j-2.16.0/security.html b/log4j-2.16.0/security.html
index 842612a..ae92f77 100644
--- a/log4j-2.16.0/security.html
+++ b/log4j-2.16.0/security.html
@@ -192,8 +192,11 @@
 <p><b>Release Details</b></p>
 <p>As of Log4j 2.15.0 the message lookups feature was disabled by default. 
Lookups in configuration still work. While Log4j 2.15.0 has an option to enable 
Lookups in this fashion, users are strongly discouraged from enabling it. A 
whitelisting mechanism was introduced for JNDI connections, allowing only 
localhost by default.</p>
 <p>From version 2.16.0, the message lookups feature has been completely 
removed. Lookups in configuration still work. Furthermore, Log4j now disables 
access to JNDI by default. JNDI lookups in configuration now need to be enabled 
explicitly. Also, Log4j now limits the protocols by default to only java, ldap, 
and ldaps and limits the ldap protocols to only accessing Java primitive 
objects. Hosts other than the local host need to be explicitly 
allowed.</p></section><section>
+<h4><a name="Work_in_progress"></a>Work in progress</h4>
+<p>The Log4j team will continue to actively update this page as more 
information becomes known.</p></section><section>
 <h4><a name="Credit"></a>Credit</h4>
-<p>This issue was discovered by Chen Zhaojun of Alibaba Cloud Security 
Team.</p></section><section>
+<p>This issue was discovered by Chen Zhaojun of Alibaba Cloud Security 
Team.</p>
+<p>The ThreadContext attack vector was first discovered by Kai Mindermann of 
iC Consult.</p></section><section>
 <h4><a name="References"></a>References</h4>
 <p><a class="externalLink" 
href="https://issues.apache.org/jira/browse/LOG4J2-3201";>https://issues.apache.org/jira/browse/LOG4J2-3201</a>
 and <a class="externalLink" 
href="https://issues.apache.org/jira/browse/LOG4J2-3198";>https://issues.apache.org/jira/browse/LOG4J2-3198</a>.</p></section></section><section>

Reply via email to