This is an automated email from the ASF dual-hosted git repository.
rpopma pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/release-2.x by this push:
new f719cbe [DOC] Add Work In Progress notice and credit Kai Mindermann
f719cbe is described below
commit f719cbef14155edf426dd1e32b8ad95134db2bde
Author: rpopma <rpo...@apache.org>
AuthorDate: Wed Dec 15 00:03:48 2021 +0900
[DOC] Add Work In Progress notice and credit Kai Mindermann
---
src/site/markdown/security.md | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index 96cba98..6853151 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -113,9 +113,14 @@ Furthermore, Log4j now disables access to JNDI by default.
JNDI lookups in confi
Also, Log4j now limits the protocols by default to only java, ldap, and ldaps
and limits the ldap
protocols to only accessing Java primitive objects. Hosts other than the local
host need to be explicitly allowed.
+#### Work in progress
+The Log4j team will continue to actively update this page as more information
becomes known.
+
#### Credit
This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.
+The ThreadContext attack vector was first discovered by Kai Mindermann of iC
Consult.
+
#### References
[https://issues.apache.org/jira/browse/LOG4J2-3201](https://issues.apache.org/jira/browse/LOG4J2-3201)
and
[https://issues.apache.org/jira/browse/LOG4J2-3198](https://issues.apache.org/jira/browse/LOG4J2-3198).
