[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Volkan Yazici updated LOG4J2-3214: ---------------------------------- Description: I propose to update the text for the mitigation section of CVE-2021-44228 on [https://logging.apache.org/log4j/2.x/security.html] Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet point list for improved readability. ---- {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability. {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation techniques, ordered from the most recommended approach to the least. # Upgrade to a version >=2.15.0 or later # For releases >=2.10, ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} (see [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). # For releases >=2.7 and <=2.14.1, modify your logging configuration to disable message lookups: ** use {{{}%m{nolookups{}}}} instead of just {{%m}} ** use {{{}%msg{nolookups{}}}} instead of just {{%msg}} ** use {{{}%message{nolookups{}}}} instead of just {{%message}} # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from the classpath: {{zip \-q \-d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class}} was: I propose to update the text for the mitigation section of CVE-2021-44228 on [https://logging.apache.org/log4j/2.x/security.html] Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet point list for improved readability. ---- *Log4j 1.x mitigation* - Audit your logging configuration to ensure it has no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability. {*}Log4j 2.x mitigation{*}: (any one of the below will mitigate the vulnerability) * If possible, upgrade to the latest version: 2.15.0 or later. * In releases from 2.7 through 2.14.1, you can modify your logging configuration to switch off message lookups: ** use {{{}%m{nolookups{}}}} instead of just {{{}%m{}}} ** use {{{}%msg{nolookups{}}}} instead of just {{{}%msg{}}} ** use {{{}%message{nolookups{}}}} instead of just {{{}%message{}}} * In releases >=2.10, you can: ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} (see [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). * For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the {{JndiLookup}} class from the classpath: {{zip \-q \-d log4j\-core\-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class}}. > update security page text for CVE-2021-44228 > -------------------------------------------- > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation > Affects Versions: 2.15.0 > Reporter: Remko Popma > Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > ---- > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation > techniques, ordered from the most recommended approach to the least. > # Upgrade to a version >=2.15.0 or later > # For releases >=2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > # For releases >=2.7 and <=2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{}}}} instead of just {{%m}} > ** use {{{}%msg{nolookups{}}}} instead of just {{%msg}} > ** use {{{}%message{nolookups{}}}} instead of just {{%message}} > # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from > the classpath: {{zip \-q \-d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)