This is an automated email from the ASF dual-hosted git repository.
pkarwasz pushed a commit to branch cyclonedx
in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/cyclonedx by this push:
new e9ccda8c Proofread CVE fix versions in `vdr.xml` (#7)
e9ccda8c is described below
commit e9ccda8ca67440d3bfb7d3c37c240522e084eaf7
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Fri Aug 22 08:07:18 2025 +0200
Proofread CVE fix versions in `vdr.xml` (#7)
* feat: proofread CVE fix versions in `vdr.xml`
- Updated `vdr.xml` to align with the proofread versioning details
from PR #7.
- Introduced a `<metadata>` element to record contact information
for the Apache Logging Services PMC and Security Team, as well as
the timestamp of the last modification.
- Refreshed the `<updated>` timestamps in all modified `<vulnerability>`
entries.
- Added inline comment with instructions on how to properly
update and maintain the VDR file.
* fix: restore original update date for CVE-2021-45105
* fix: update contact information
Update the contact information based on review feedback.
---
vdr.xml | 58 +++++++++++++++++++++++++++++++++++++---------------------
1 file changed, 37 insertions(+), 21 deletions(-)
diff --git a/vdr.xml b/vdr.xml
index 98807dca..110dc499 100644
--- a/vdr.xml
+++ b/vdr.xml
@@ -15,7 +15,6 @@
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
-
<!-- This file is a Vulnerability Disclosure Report (VDR) covering all Apache
Logging Services[1] projects.
This file adheres to the CycloneDX SBOM specification[2].
@@ -23,21 +22,35 @@
All Apache Logging Services projects (e.g., Log4j) generate SBOMs
containing `vulnerability-assertion` entries with links to this file.
- If you need help on addressing these vulnerabilities,
suggestions/corrections on the content, and/or reporting new vulnerabilities,
please refer to the Log4j support page[3].
+ If you need help in addressing these vulnerabilities,
suggestions/corrections on the content, and/or reporting new vulnerabilities,
please refer to the Log4j support page[3].
This file is maintained in version control[4].
+ To update the VDR:
+ 1. Increment the `version` attribute in the `<bom>` element.
+ 2. Update the `<timestamp>` element in the `<metadata>` section
+ to the current UTC date and time.
+ 3. For each modified `<vulnerability>`, update its `<updated>` element.
+
[1] https://logging.apache.org
[2] https://cyclonedx.org
[3] https://logging.apache.org/log4j/2.x/support.html
[4] https://github.com/apache/logging-site/tree/cyclonedx
-->
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
- xmlns="http://cyclonedx.org/schema/bom/1.5";
- xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.5
https://cyclonedx.org/schema/bom-1.5.xsd";
- version="2"
+ xmlns="http://cyclonedx.org/schema/bom/1.6";
+ xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6
https://cyclonedx.org/schema/bom-1.6.xsd";
+ version="3"
serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06">
+ <metadata>
+ <timestamp>2025-08-17T11:18:06Z</timestamp>
+ <manufacturer>
+ <name>Apache Logging Services</name>
+ <url>https://logging.apache.org</url>
+ </manufacturer>
+ </metadata>
+
<!-- We add *dummy* components to refer to in `affects` blocks.
This is necessary, since not all Log4j components have SBOMs associated
with them. -->
<components>
@@ -76,24 +89,24 @@
</cwes>
<description><![CDATA[An attacker with write access to the logging
configuration can construct a malicious configuration using a JDBC Appender
with a data source referencing a JNDI URI which can execute remote code.
This issue is fixed by limiting JNDI data source names to the `java`
protocol.]]></description>
- <recommendation><![CDATA[Upgrade to `2.3.2` (for Java 6), `2.12.4` (for
Java 7), or `2.17.1` (for Java 8 and later).
+ <recommendation><![CDATA[Upgrade to `2.3.1` (for Java 6), `2.12.3` (for
Java 7), or `2.17.0` (for Java 8 and later).
In prior releases confirm that if the JDBC Appender is being used it is not
configured to use any protocol other than `java`.]]></recommendation>
<created>2021-12-28T00:00:00Z</created>
<published>2021-12-28T00:00:00Z</published>
- <updated>2022-08-08T00:00:00Z</updated>
+ <updated>2025-08-17T11:18:06Z</updated>
<affects>
<target>
<ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
<versions>
<version>
- <range><![CDATA[vers:maven/>=2.0-beta7|<2.3.2]]></range>
+ <range><![CDATA[vers:maven/>=2.0-beta7|<2.3.1]]></range>
</version>
<version>
- <range><![CDATA[vers:maven/>=2.4|<2.12.4]]></range>
+ <range><![CDATA[vers:maven/>=2.4|<2.12.3]]></range>
</version>
<version>
- <range><![CDATA[vers:maven/>=2.13.0|<2.17.1]]></range>
+ <range><![CDATA[vers:maven/>=2.13.0|<2.17.0]]></range>
</version>
</versions>
</target>
@@ -210,10 +223,10 @@ Remote code execution has been demonstrated on macOS,
Fedora, Arch Linux, and Al
Note that this vulnerability is not limited to just the JNDI lookup.
Any other Lookup could also be included in a Thread Context Map variable and
possibly have private details exposed to anyone with access to the
logs.]]></description>
- <recommendation><![CDATA[Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3`
(for Java 7), or `2.17.0` (for Java 8 and later).]]></recommendation>
+ <recommendation><![CDATA[Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3`
(for Java 7), or `2.16.0` (for Java 8 and later).]]></recommendation>
<created>2021-12-14T00:00:00Z</created>
<published>2021-12-14T00:00:00Z</published>
- <updated>2023-10-26T00:00:00Z</updated>
+ <updated>2025-08-17T11:18:06Z</updated>
<credits>
<individuals>
<individual>
@@ -250,7 +263,7 @@ Any other Lookup could also be included in a Thread Context
Map variable and pos
<range><![CDATA[vers:maven/>=2.4|<2.12.3]]></range>
</version>
<version>
- <range><![CDATA[vers:maven/>=2.13.0|<2.17.0]]></range>
+ <range><![CDATA[vers:maven/>=2.13.0|<2.16.0]]></range>
</version>
</versions>
</target>
@@ -299,10 +312,10 @@ Any other Lookup could also be included in a Thread
Context Map variable and pos
</cwes>
<description><![CDATA[In Log4j, the JNDI features used in
configurations, log messages, and parameters do not protect against
attacker-controlled LDAP and other JNDI related endpoints.
An attacker who can control log messages or log message parameters can execute
arbitrary code loaded from LDAP servers.]]></description>
- <recommendation><![CDATA[Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3`
(for Java 7), or `2.17.0` (for Java 8 and later).]]></recommendation>
+ <recommendation><![CDATA[Upgrade to Log4j `2.3.1` (for Java 6), `2.12.2`
(for Java 7), or `2.15.0` (for Java 8 and later).]]></recommendation>
<created>2021-12-10T00:00:00Z</created>
<published>2021-12-10T00:00:00Z</published>
- <updated>2023-04-03T00:00:00Z</updated>
+ <updated>2025-08-17T11:18:06Z</updated>
<credits>
<individuals>
<individual>
@@ -318,10 +331,10 @@ An attacker who can control log messages or log message
parameters can execute a
<range><![CDATA[vers:maven/>=2.0-beta9|<2.3.1]]></range>
</version>
<version>
- <range><![CDATA[vers:maven/>=2.4|<2.12.3]]></range>
+ <range><![CDATA[vers:maven/>=2.4|<2.12.2]]></range>
</version>
<version>
- <range><![CDATA[vers:maven/>=2.13.0|<2.17.0]]></range>
+ <range><![CDATA[vers:maven/>=2.13.0|<2.15.0]]></range>
</version>
</versions>
</target>
@@ -366,12 +379,12 @@ The reported issue was caused by an error in
`SslConfiguration`.
Any element using `SslConfiguration` in the Log4j `Configuration` is also
affected by this issue.
This includes `HttpAppender`, `SocketAppender`, and `SyslogAppender`.
Usages of `SslConfiguration` that are configured via system properties are not
affected.]]></description>
- <recommendation><![CDATA[Upgrade to `2.12.3` (Java 7) or `2.13.2` (Java
8 and later).
+ <recommendation><![CDATA[Upgrade to `2.3.2` (Java 6), `2.12.3` (Java 7)
or `2.13.2` (Java 8 and later).
Alternatively, users can set the `mail.smtp.ssl.checkserveridentity` system
property to `true` to enable SMTPS hostname verification for all SMTPS mail
sessions.]]></recommendation>
<created>2017-04-27T00:00:00Z</created>
<published>2017-04-27T00:00:00Z</published>
- <updated>2022-05-12T00:00:00Z</updated>
+ <updated>2025-08-17T11:18:06Z</updated>
<credits>
<individuals>
<individual>
@@ -384,10 +397,13 @@ Alternatively, users can set the
`mail.smtp.ssl.checkserveridentity` system prop
<ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
<versions>
<version>
- <range><![CDATA[vers:maven/>=2.0-beta1|<2.12.3]]></range>
+ <range><![CDATA[vers:maven/>=2.0-beta1|<2.3.2]]></range>
+ </version>
+ <version>
+ <range><![CDATA[vers:maven/>=2.4|<2.12.3]]></range>
</version>
<version>
- <version><![CDATA[vers:maven/2.13.1]]></version>
+ <version><![CDATA[vers:maven/>=2.13.0|<2.13.2]]></version>
</version>
</versions>
</target>
