[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458749#comment-17458749
]
Remko Popma commented on LOG4J2-3214:
-
Update: mention the separate CVE (CVE-2021-4104) for Log4j 1.x, and add a line
that the log4j-api is not impacted.
> Update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability. (Note that there is a separate CVE
> (CVE-2021-4104) for this vulnerability now.)
> {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below.
> * Upgrade to release 2.15.0 or later
> * For releases >= 2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the
> {{JndiLookup}} class from the classpath: {{zip \-q \-d log4j\-core\-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
> The log4j-api JAR file in Log4j2 is not impacted by this vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458696#comment-17458696
]
Volkan Yazici commented on LOG4J2-3214:
---
I am back, again! The way it is now looks good to me. (y)
> Update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below.
> * Upgrade to release 2.15.0 or later
> * For releases >= 2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the
> {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458520#comment-17458520
]
Mark J. Cox commented on LOG4J2-3214:
-
Gary, although the CVE was initially allocated from the Red Hat CNA, the text
we sent to cve.org was written by the ASF and the "owner" of the CVE is being
transferred to ASF. It will be visible on cve.org soon.
> Update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below.
> * Upgrade to release 2.15.0 or later
> * For releases >= 2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the
> {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458513#comment-17458513
]
Gary D. Gregory commented on LOG4J2-3214:
-
The confusion is made worse as CVE-2021-4104 is a RedHat "CVE" which is not
registered with cve.org.
> Update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below.
> * Upgrade to release 2.15.0 or later
> * For releases >= 2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the
> {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458508#comment-17458508
]
Mark J. Cox commented on LOG4J2-3214:
-
Note CVE-2021-4104 is for log4j 1.x now; please can you quote it on the updated
page.
> Update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below.
> * Upgrade to release 2.15.0 or later
> * For releases >= 2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the
> {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458489#comment-17458489
]
Steve Parker commented on LOG4J2-3214:
--
{noformat}
The reason we single out this version range 2.0-beta9 to <2.7 is because for
this version range, modifying the log4j-core JAR is the only mitigation
mechanism available*no* further _formatting_ is done here{noformat}
In 2.0-beta9, the Interpolator class always tries to load the JndiLookup class
so if it the class is removed from the jarfile, an unhandled exception will be
thrown.
See [Interpolator.java
2..0-beta9|https://github.com/apache/logging-log4j2/blob/log4j-2.0-beta9/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java]
In later versions, it tries to load the class first and handles any exception
as a Warning
See [Interpolator.java
2.15.0|https://github.com/apache/logging-log4j2/blob/rel/2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java]
Applications using 2.0-beta9 that don't handle the exception may not start if
the JndiLookup class is not found.
> Update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below.
> * Upgrade to release 2.15.0 or later
> * For releases >= 2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the
> {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458463#comment-17458463
]
Andreas Pabst commented on LOG4J2-3214:
---
Considering that for version range 2.0-beta9 to <2.7 no configuration-only
mitigation is possible, I would suggest also mentioning the option to set the
log level to OFF as a short-term mitigation for vulnerable production
applications that cannot upgrade immediately.
> Update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below.
> * Upgrade to release 2.15.0 or later
> * For releases >= 2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the
> {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458385#comment-17458385
]
Gary D. Gregory commented on LOG4J2-3214:
-
I made a couple of readability tweaks.
> Update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below.
> * Upgrade to release 2.15.0 or later
> * For releases >= 2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the
> {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458347#comment-17458347
]
Gary D. Gregory commented on LOG4J2-3214:
-
I would like to replace the "details" links with actual links, to make cut and
paste more solid.
> update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation
> techniques.
> * Upgrade to release 2.15.0 or later
> * For releases >=2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> * For releases >=2.7 and <=2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> * For releases >=2.0-beta9 and <2.7, the only mitigation is to remove the
> {{JndiLookup}} class from the classpath: {{zip \-q \-d log4j\-core\-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458341#comment-17458341
]
Remko Popma commented on LOG4J2-3214:
-
[~AlexanderYastrebov] thank you for the feedback!
{quote}
> For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}}
I think the version range should include all versions, i.e. right boundary
should be the latest affected version. If users go for patching the library
they might want to patch all the versions instead of applying different fixes
for different versions
{quote}
The reason we single out this version range 2.0-beta9 to <2.7 is because for
this version range, modifying the log4j-core JAR is the *only* mitigation
mechanism available. I will update the text to emphasize this.
[~vy] It looks like with even only 3 people we already have very different
ideas of what the "preferred" mitigation mechanism is. This likely differs a
lot per environment. I propose we do not attempt to create a hierarchy of
preference, and just make it a simple bullet point list instead, where any of
the options is a valid mechanism.
One argument for ordering the mitigation mechanisms as below is that this is
the conventional order for any customization, but I am open to switching 2 and
3...
* latest version (no config needed)
* config
* system prop/environment var
* modify the JAR
I will change the wording to reflect the above.
> update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation
> techniques, ordered from the most recommended approach to the least.
> # Upgrade to a version >=2.15.0 or later
> # For releases >=2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> # For releases >=2.7 and <=2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from
> the classpath: {{zip \-q \-d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458298#comment-17458298
]
Volkan Yazici commented on LOG4J2-3214:
---
My hesitation for configuration changes is due to the fact that there might be
multiple places that need to be changed and it is difficult to determine which
one will be effective at runtime. At work, I have seen people struggling to
figure out whether they use {{PatternLayout}} or not, since the configuration
is provided by a transitive dependency containing multiple XMLs, etc. There I
had the impression that passing a single flag to the process eased the
procedure a lot – later on we verify the fix by validating that the application
reports the set property as expected. Further, people also add this environment
variable at the OS/container level and be done with it, without needing to
check anything else – of course, except the Log4j version where this flag is
supported.
> update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation
> techniques, ordered from the most recommended approach to the least.
> # Upgrade to a version >=2.15.0 or later
> # For releases >=2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> # For releases >=2.7 and <=2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from
> the classpath: {{zip \-q \-d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458296#comment-17458296
]
Alexander Yastrebov commented on LOG4J2-3214:
-
> The system property/environment variable does not have "evidence" that is
> working
Environment variable is easier to set system-wide on the infrastructure level
(e.g. in Kubernetes admission controller)
> For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}}
I think the version range should include all versions, i.e. right boundary
should be the latest affected version. If users go for patching the library
they might want to patch all the versions instead of applying different fixes
for different versions
> update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation
> techniques, ordered from the most recommended approach to the least.
> # Upgrade to a version >=2.15.0 or later
> # For releases >=2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> # For releases >=2.7 and <=2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from
> the classpath: {{zip \-q \-d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458265#comment-17458265
]
Remko Popma commented on LOG4J2-3214:
-
Thank you [~vy]!
I actually slightly preferred the {{{}%m{nolookups{ solution to the system
property/environment variable solution.
The reason being that my experience doing this mitigation process in a few
applications at work, this was the simplest to implement and easiest to verify.
The system property/environment variable does not have "evidence" that is
working, while the configuration is more self-evident. (We had some wrapper
scripts and processes were started via cron that made the system
property/environment variable solution more complex and harder to verify in our
environment.)
> update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation
> techniques, ordered from the most recommended approach to the least.
> # Upgrade to a version >=2.15.0 or later
> # For releases >=2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> # For releases >=2.7 and <=2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from
> the classpath: {{zip \-q \-d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) update security page text for CVE-2021-44228
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458244#comment-17458244
]
Volkan Yazici commented on LOG4J2-3214:
---
[~rpopma], great job! Thanks so much! Some remarks:
# I have ordered the bullets in preference order.
# I have used signs to precisely specify version ranges.
# I would appreciate it if we can keep the formatting (code blocks, bulleting,
etc.) while reflecting this back to {{security.html}}. (Note that > and <
characters need to be quoted in HTML.)
> update security page text for CVE-2021-44228
>
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
>Affects Versions: 2.15.0
>Reporter: Remko Popma
>Priority: Major
> Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet
> point list for improved readability.
>
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation
> techniques, ordered from the most recommended approach to the least.
> # Upgrade to a version >=2.15.0 or later
> # For releases >=2.10,
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}}
> (see
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> # For releases >=2.7 and <=2.14.1, modify your logging configuration to
> disable message lookups:
> ** use {{{}%m{nolookups{ instead of just {{%m}}
> ** use {{{}%msg{nolookups{ instead of just {{%msg}}
> ** use {{{}%message{nolookups{ instead of just {{%message}}
> # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from
> the classpath: {{zip \-q \-d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
