This is an automated email from the ASF dual-hosted git repository.
rpopma pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/release-2.x by this push:
new cfdc346 [DOC] update index page markdown with changes that were made
directly to the site
cfdc346 is described below
commit cfdc346f4089e444db10aea3b099bdbea00636ac
Author: rpopma <rpo...@apache.org>
AuthorDate: Fri Dec 17 08:41:32 2021 +0900
[DOC] update index page markdown with changes that were made directly to
the site
---
src/site/markdown/index.md.vm | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/site/markdown/index.md.vm b/src/site/markdown/index.md.vm
index 8e6fc69..3574ef2 100644
--- a/src/site/markdown/index.md.vm
+++ b/src/site/markdown/index.md.vm
@@ -44,7 +44,11 @@ Note that previous mitigations involving configuration such
as setting the syste
to `true` do NOT mitigate this specific vulnerability.
$h4 Mitigation
-From version 2.16.0, Log4j disables access to JNDI by default. JNDI lookups in
configuration now need to be enabled explicitly.
+In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default.
Usage of JNDI in configuration now need to be enabled explicitly.
+Calls to the JndiLookup will now return a constant string. Also, Log4j now
limits the protocols by default to only java.
+The message lookups feature has been completely removed.
+
+From version 2.16.0 (for Java 8), Log4j disables access to JNDI by default.
JNDI lookups in configuration now need to be enabled explicitly.
Also, Log4j now limits the protocols by default to only java, ldap, and ldaps
and limits the ldap
protocols to only accessing Java primitive objects. Hosts other than the local
host need to be explicitly allowed.
The message lookups feature has been completely removed.
@@ -70,7 +74,11 @@ that remote server. This in turn could execute any code
during deserialization.
This is known as a RCE (Remote Code Execution) attack.
$h4 Mitigation
-From version 2.16.0, the message lookups feature has been completely removed.
Lookups in configuration still work.
+In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default.
Usage of JNDI in configuration now need to be enabled explicitly.
+Calls to the JndiLookup will now return a constant string. Also, Log4j now
limits the protocols by default to only java.
+The message lookups feature has been completely removed.
+
+From version 2.16.0 (for Java 8), the message lookups feature has been
completely removed. Lookups in configuration still work.
Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in
configuration now need to be enabled explicitly.
Also, Log4j now limits the protocols by default to only java, ldap, and ldaps
and limits the ldap
protocols to only accessing Java primitive objects. Hosts other than the local
host need to be explicitly allowed.
