[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458749#comment-17458749 ] Remko Popma commented on LOG4J2-3214: - Update: mention the separate CVE (CVE-2021-4104) for Log4j 1.x, and add a line that the log4j-api is not impacted. > Update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. (Note that there is a separate CVE > (CVE-2021-4104) for this vulnerability now.) > {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below. > * Upgrade to release 2.15.0 or later > * For releases >= 2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the > {{JndiLookup}} class from the classpath: {{zip \-q \-d log4j\-core\-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} > The log4j-api JAR file in Log4j2 is not impacted by this vulnerability. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458696#comment-17458696 ] Volkan Yazici commented on LOG4J2-3214: --- I am back, again! The way it is now looks good to me. (y) > Update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below. > * Upgrade to release 2.15.0 or later > * For releases >= 2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the > {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458520#comment-17458520 ] Mark J. Cox commented on LOG4J2-3214: - Gary, although the CVE was initially allocated from the Red Hat CNA, the text we sent to cve.org was written by the ASF and the "owner" of the CVE is being transferred to ASF. It will be visible on cve.org soon. > Update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below. > * Upgrade to release 2.15.0 or later > * For releases >= 2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the > {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458513#comment-17458513 ] Gary D. Gregory commented on LOG4J2-3214: - The confusion is made worse as CVE-2021-4104 is a RedHat "CVE" which is not registered with cve.org. > Update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below. > * Upgrade to release 2.15.0 or later > * For releases >= 2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the > {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458508#comment-17458508 ] Mark J. Cox commented on LOG4J2-3214: - Note CVE-2021-4104 is for log4j 1.x now; please can you quote it on the updated page. > Update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below. > * Upgrade to release 2.15.0 or later > * For releases >= 2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the > {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458489#comment-17458489 ] Steve Parker commented on LOG4J2-3214: -- {noformat} The reason we single out this version range 2.0-beta9 to <2.7 is because for this version range, modifying the log4j-core JAR is the only mitigation mechanism available*no* further _formatting_ is done here{noformat} In 2.0-beta9, the Interpolator class always tries to load the JndiLookup class so if it the class is removed from the jarfile, an unhandled exception will be thrown. See [Interpolator.java 2..0-beta9|https://github.com/apache/logging-log4j2/blob/log4j-2.0-beta9/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java] In later versions, it tries to load the class first and handles any exception as a Warning See [Interpolator.java 2.15.0|https://github.com/apache/logging-log4j2/blob/rel/2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java] Applications using 2.0-beta9 that don't handle the exception may not start if the JndiLookup class is not found. > Update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below. > * Upgrade to release 2.15.0 or later > * For releases >= 2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the > {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458463#comment-17458463 ] Andreas Pabst commented on LOG4J2-3214: --- Considering that for version range 2.0-beta9 to <2.7 no configuration-only mitigation is possible, I would suggest also mentioning the option to set the log level to OFF as a short-term mitigation for vulnerable production applications that cannot upgrade immediately. > Update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below. > * Upgrade to release 2.15.0 or later > * For releases >= 2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the > {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458385#comment-17458385 ] Gary D. Gregory commented on LOG4J2-3214: - I made a couple of readability tweaks. > Update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below. > * Upgrade to release 2.15.0 or later > * For releases >= 2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the > {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458347#comment-17458347 ] Gary D. Gregory commented on LOG4J2-3214: - I would like to replace the "details" links with actual links, to make cut and paste more solid. > update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation > techniques. > * Upgrade to release 2.15.0 or later > * For releases >=2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > * For releases >=2.7 and <=2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > * For releases >=2.0-beta9 and <2.7, the only mitigation is to remove the > {{JndiLookup}} class from the classpath: {{zip \-q \-d log4j\-core\-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458341#comment-17458341 ] Remko Popma commented on LOG4J2-3214: - [~AlexanderYastrebov] thank you for the feedback! {quote} > For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} I think the version range should include all versions, i.e. right boundary should be the latest affected version. If users go for patching the library they might want to patch all the versions instead of applying different fixes for different versions {quote} The reason we single out this version range 2.0-beta9 to <2.7 is because for this version range, modifying the log4j-core JAR is the *only* mitigation mechanism available. I will update the text to emphasize this. [~vy] It looks like with even only 3 people we already have very different ideas of what the "preferred" mitigation mechanism is. This likely differs a lot per environment. I propose we do not attempt to create a hierarchy of preference, and just make it a simple bullet point list instead, where any of the options is a valid mechanism. One argument for ordering the mitigation mechanisms as below is that this is the conventional order for any customization, but I am open to switching 2 and 3... * latest version (no config needed) * config * system prop/environment var * modify the JAR I will change the wording to reflect the above. > update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation > techniques, ordered from the most recommended approach to the least. > # Upgrade to a version >=2.15.0 or later > # For releases >=2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > # For releases >=2.7 and <=2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from > the classpath: {{zip \-q \-d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458298#comment-17458298 ] Volkan Yazici commented on LOG4J2-3214: --- My hesitation for configuration changes is due to the fact that there might be multiple places that need to be changed and it is difficult to determine which one will be effective at runtime. At work, I have seen people struggling to figure out whether they use {{PatternLayout}} or not, since the configuration is provided by a transitive dependency containing multiple XMLs, etc. There I had the impression that passing a single flag to the process eased the procedure a lot – later on we verify the fix by validating that the application reports the set property as expected. Further, people also add this environment variable at the OS/container level and be done with it, without needing to check anything else – of course, except the Log4j version where this flag is supported. > update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation > techniques, ordered from the most recommended approach to the least. > # Upgrade to a version >=2.15.0 or later > # For releases >=2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > # For releases >=2.7 and <=2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from > the classpath: {{zip \-q \-d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458296#comment-17458296 ] Alexander Yastrebov commented on LOG4J2-3214: - > The system property/environment variable does not have "evidence" that is > working Environment variable is easier to set system-wide on the infrastructure level (e.g. in Kubernetes admission controller) > For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} I think the version range should include all versions, i.e. right boundary should be the latest affected version. If users go for patching the library they might want to patch all the versions instead of applying different fixes for different versions > update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation > techniques, ordered from the most recommended approach to the least. > # Upgrade to a version >=2.15.0 or later > # For releases >=2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > # For releases >=2.7 and <=2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from > the classpath: {{zip \-q \-d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458265#comment-17458265 ] Remko Popma commented on LOG4J2-3214: - Thank you [~vy]! I actually slightly preferred the {{{}%m{nolookups{ solution to the system property/environment variable solution. The reason being that my experience doing this mitigation process in a few applications at work, this was the simplest to implement and easiest to verify. The system property/environment variable does not have "evidence" that is working, while the configuration is more self-evident. (We had some wrapper scripts and processes were started via cron that made the system property/environment variable solution more complex and harder to verify in our environment.) > update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation > techniques, ordered from the most recommended approach to the least. > # Upgrade to a version >=2.15.0 or later > # For releases >=2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > # For releases >=2.7 and <=2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from > the classpath: {{zip \-q \-d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (LOG4J2-3214) update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458244#comment-17458244 ] Volkan Yazici commented on LOG4J2-3214: --- [~rpopma], great job! Thanks so much! Some remarks: # I have ordered the bullets in preference order. # I have used signs to precisely specify version ranges. # I would appreciate it if we can keep the formatting (code blocks, bulleting, etc.) while reflecting this back to {{security.html}}. (Note that > and < characters need to be quoted in HTML.) > update security page text for CVE-2021-44228 > > > Key: LOG4J2-3214 > URL: https://issues.apache.org/jira/browse/LOG4J2-3214 > Project: Log4j 2 > Issue Type: Documentation >Affects Versions: 2.15.0 >Reporter: Remko Popma >Priority: Major > Fix For: 2.16.0 > > > I propose to update the text for the mitigation section of CVE-2021-44228 on > [https://logging.apache.org/log4j/2.x/security.html] > Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet > point list for improved readability. > > {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has > no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability. > {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation > techniques, ordered from the most recommended approach to the least. > # Upgrade to a version >=2.15.0 or later > # For releases >=2.10, > ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]) > ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} > (see > [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]). > # For releases >=2.7 and <=2.14.1, modify your logging configuration to > disable message lookups: > ** use {{{}%m{nolookups{ instead of just {{%m}} > ** use {{{}%msg{nolookups{ instead of just {{%msg}} > ** use {{{}%message{nolookups{ instead of just {{%message}} > # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from > the classpath: {{zip \-q \-d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class}} -- This message was sent by Atlassian Jira (v8.20.1#820001)