This is an automated email from the ASF dual-hosted git repository.
pkarwasz pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/main by this push:
new 5950fea9 docs: use level-1 headers in _vulnerabilities.adoc
5950fea9 is described below
commit 5950fea980c83d8c30686486df0d7cb92d21f246
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Fri Aug 22 08:46:40 2025 +0200
docs: use level-1 headers in _vulnerabilities.adoc
Use level-1 headers in `_vulnerabilities.adoc` together with
`leveloffset` in the including file. This eliminates IDE warnings
when editing `_vulnerabilities.adoc`.
---
_vulnerabilities.adoc | 62 +++++++++++++++++++++++++--------------------------
security.adoc | 2 +-
2 files changed, 32 insertions(+), 32 deletions(-)
diff --git a/_vulnerabilities.adoc b/_vulnerabilities.adoc
index 31738d90..9a861e10 100644
--- a/_vulnerabilities.adoc
+++ b/_vulnerabilities.adoc
@@ -25,7 +25,7 @@ We only extend this mathematical notation with set union
operator (i.e., `∪`)
====
[#CVE-2021-44832]
-=== {cve-url-prefix}/CVE-2021-44832[CVE-2021-44832]
+== {cve-url-prefix}/CVE-2021-44832[CVE-2021-44832]
[cols="1h,5"]
|===
@@ -37,25 +37,25 @@ We only extend this mathematical notation with set union
operator (i.e., `∪`)
|===
[#CVE-2021-44832-description]
-==== Description
+=== Description
An attacker with write access to the logging configuration can construct a
malicious configuration using a JDBC Appender with a data source referencing a
JNDI URI which can execute remote code.
This issue is fixed by limiting JNDI data source names to the `java` protocol.
[#CVE-2021-44832-mitigation]
-==== Mitigation
+=== Mitigation
Upgrade to `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java
8 and later).
In prior releases confirm that if the JDBC Appender is being used it is not
configured to use any protocol other than `java`.
[#CVE-2021-44832-references]
-==== References
+=== References
- {cve-url-prefix}/CVE-2021-44832[CVE-2021-44832]
- https://issues.apache.org/jira/browse/LOG4J2-3242[LOG4J2-3242]
[#CVE-2021-45105]
-=== {cve-url-prefix}/CVE-2021-45105[CVE-2021-45105]
+== {cve-url-prefix}/CVE-2021-45105[CVE-2021-45105]
[cols="1h,5"]
|===
@@ -67,14 +67,14 @@ In prior releases confirm that if the JDBC Appender is
being used it is not conf
|===
[#CVE-2021-45105-description]
-==== Description
+=== Description
Log4j versions `2.0-alpha1` through `2.16.0` (excluding `2.3.1` and `2.12.3`),
did not protect from uncontrolled recursion that can be implemented using
self-referential lookups.
When the logging configuration uses a non-default Pattern Layout with a
Context Lookup (for example, `$${ctx:loginId}`), attackers with control over
Thread Context Map (MDC) input data can craft malicious input data that
contains a recursive lookup, resulting in a `StackOverflowError` that will
terminate the process.
This is also known as a _DoS (Denial-of-Service)_ attack.
[#CVE-2021-45105-mitigation]
-==== Mitigation
+=== Mitigation
Upgrade to `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java
8 and later).
@@ -89,18 +89,18 @@ Note that only the `log4j-core` JAR file is impacted by
this vulnerability.
Applications using only the `log4j-api` JAR file without the `log4j-core` JAR
file are not impacted by this vulnerability.
[#CVE-2021-45105-credits]
-==== Credits
+=== Credits
Independently discovered by Hideki Okamoto of Akamai Technologies, Guy
Lederfein of Trend Micro Research working with Trend Micro's Zero Day
Initiative, and another anonymous vulnerability researcher.
[#CVE-2021-45105-references]
-==== References
+=== References
- {cve-url-prefix}/CVE-2021-45105[CVE-2021-45105]
- https://issues.apache.org/jira/browse/LOG4J2-3230[LOG4J2-3230]
[#CVE-2021-45046]
-=== {cve-url-prefix}/CVE-2021-45046[CVE-2021-45046]
+== {cve-url-prefix}/CVE-2021-45046[CVE-2021-45046]
[cols="1h,5"]
|===
@@ -112,7 +112,7 @@ Independently discovered by Hideki Okamoto of Akamai
Technologies, Guy Lederfein
|===
[#CVE-2021-45046-description]
-==== Description
+=== Description
It was found that the fix to address <<CVE-2021-44228>> in Log4j `2.15.0` was
incomplete in certain non-default configurations.
When the logging configuration uses a non-default Pattern Layout with a Thread
Context Lookup (for example, `$${ctx:loginId}`), attackers with control over
Thread Context Map (MDC) can craft malicious input data using a JNDI Lookup
pattern, resulting in an information leak and remote code execution in some
environments and local code execution in all environments.
@@ -125,25 +125,25 @@ Note that only the `log4j-core` JAR file is impacted by
this vulnerability.
Applications using only the `log4j-api` JAR file without the `log4j-core` JAR
file are not impacted by this vulnerability.
[#CVE-2021-45046-mitigation]
-==== Mitigation
+=== Mitigation
Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.16.0` (for
Java 8 and later).
[#CVE-2021-45046-credits]
-==== Credits
+=== Credits
This issue was discovered by Kai Mindermann of iC Consult and separately by
4ra1n.
Additional vulnerability details discovered independently by Ash Fox of
Google, Alvaro Muñoz and Tony Torralba from GitHub, Anthony Weems of
Praetorian, and RyotaK (@ryotkak).
[#CVE-2021-45046-references]
-==== References
+=== References
- {cve-url-prefix}/CVE-2021-45046[CVE-2021-45046]
- https://issues.apache.org/jira/browse/LOG4J2-3221[LOG4J2-3221]
[#CVE-2021-44228]
-=== {cve-url-prefix}/CVE-2021-44228[CVE-2021-44228]
+== {cve-url-prefix}/CVE-2021-44228[CVE-2021-44228]
[cols="1h,5"]
|===
@@ -155,7 +155,7 @@ Additional vulnerability details discovered independently
by Ash Fox of Google,
|===
[#CVE-2021-44228-description]
-==== Description
+=== Description
In Log4j, the JNDI features used in configurations, log messages, and
parameters do not protect against attacker-controlled LDAP and other JNDI
related endpoints.
An attacker who can control log messages or log message parameters can execute
arbitrary code loaded from LDAP servers.
@@ -164,10 +164,10 @@ Note that only the `log4j-core` JAR file is impacted by
this vulnerability.
Applications using only the `log4j-api` JAR file without the `log4j-core` JAR
file are not impacted by this vulnerability.
[#CVE-2021-44228-mitigation]
-==== Mitigation
+=== Mitigation
[#CVE-2021-44228-mitigation-log4j1]
-===== Log4j 1 mitigation
+==== Log4j 1 mitigation
include::_log4j1-eol.adoc[]
@@ -178,17 +178,17 @@ To mitigate, audit your logging configuration to ensure
it has no `JMSAppender`
Log4j 1 configurations without `JMSAppender` are not impacted by this
vulnerability.
[#CVE-2021-44228-mitigation-log4j2]
-===== Log4j 2 mitigation
+==== Log4j 2 mitigation
Upgrade to Log4j `2.3.1` (for Java 6), `2.12.2` (for Java 7), or `2.15.0` (for
Java 8 and later).
[#CVE-2021-44228-credits]
-==== Credits
+=== Credits
This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.
[#CVE-2021-44228-references]
-==== References
+=== References
- {cve-url-prefix}/CVE-2021-44228[CVE-2021-44228]
- https://issues.apache.org/jira/browse/LOG4J2-3198[LOG4J2-3198]
@@ -196,7 +196,7 @@ This issue was discovered by Chen Zhaojun of Alibaba Cloud
Security Team.
- https://issues.apache.org/jira/browse/LOG4J2-3242[LOG4J2-3242]
[#CVE-2020-9488]
-=== {cve-url-prefix}/CVE-2020-9488[CVE-2020-9488]
+== {cve-url-prefix}/CVE-2020-9488[CVE-2020-9488]
[cols="1h,5"]
|===
@@ -208,7 +208,7 @@ This issue was discovered by Chen Zhaojun of Alibaba Cloud
Security Team.
|===
[#CVE-2020-9488-description]
-==== Description
+=== Description
Improper validation of certificate with host mismatch in SMTP appender.
This could allow an SMTPS connection to be intercepted by a man-in-the-middle
attack which could leak any log
@@ -220,25 +220,25 @@ This includes `HttpAppender`, `SocketAppender`, and
`SyslogAppender`.
Usages of `SslConfiguration` that are configured via system properties are not
affected.
[#CVE-2020-9488-mitigation]
-==== Mitigation
+=== Mitigation
Upgrade to `2.3.2` (Java 6), `2.12.3` (Java 7) or `2.13.2` (Java 8 and later).
Alternatively, users can set the `mail.smtp.ssl.checkserveridentity` system
property to `true` to enable SMTPS hostname verification for all SMTPS mail
sessions.
[#CVE-2020-9488-credits]
-==== Credits
+=== Credits
This issue was discovered by Peter Stöckli.
[#CVE-2020-9488-references]
-==== References
+=== References
- {cve-url-prefix}/CVE-2020-9488[CVE-2020-9488]
- https://issues.apache.org/jira/browse/LOG4J2-2819[LOG4J2-2819]
[#CVE-2017-5645]
-=== {cve-url-prefix}/CVE-2017-5645[CVE-2017-5645]
+== {cve-url-prefix}/CVE-2017-5645[CVE-2017-5645]
[cols="1h,5"]
|===
@@ -250,23 +250,23 @@ This issue was discovered by Peter Stöckli.
|===
[#CVE-2017-5645-description]
-==== Description
+=== Description
When using the TCP socket server or UDP socket server to receive serialized
log events from another application, a specially crafted binary payload can be
sent that, when deserialized, can execute arbitrary code.
[#CVE-2017-5645-mitigation]
-==== Mitigation
+=== Mitigation
Java 7 and above users should migrate to version `2.8.2` or avoid using the
socket server classes.
Java 6 users should avoid using the TCP or UDP socket server classes, or they
can manually backport
https://github.com/apache/logging-log4j2/commit/5dcc192[the security fix
commit] from `2.8.2`.
[#CVE-2017-5645-credits]
-==== Credits
+=== Credits
This issue was discovered by Marcio Almeida de Macedo of Red Team at Telstra.
[#CVE-2017-5645-references]
-==== References
+=== References
- {cve-url-prefix}/CVE-2017-5645[CVE-2017-5645]
- https://issues.apache.org/jira/browse/LOG4J2-1863[LOG4J2-1863]
diff --git a/security.adoc b/security.adoc
index 9d8b91ae..7786936c 100644
--- a/security.adoc
+++ b/security.adoc
@@ -65,4 +65,4 @@ include::_sbom.adoc[]
[#vulnerabilities]
== Known vulnerabilities
-include::_vulnerabilities.adoc[]
+include::_vulnerabilities.adoc[leveloffset=+1]
