This is an automated email from the ASF dual-hosted git repository.
rpopma pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 94f51a0 [DOC] stop recommending 2.15
94f51a0 is described below
commit 94f51a00a2bf1a2d949b3a93bcbf3a1a498ee780
Author: Remko Popma <rem...@yahoo.com>
AuthorDate: Tue Dec 14 23:28:14 2021 +0900
[DOC] stop recommending 2.15
---
log4j-2.16.0/index.html | 2 +-
log4j-2.16.0/security.html | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/log4j-2.16.0/index.html b/log4j-2.16.0/index.html
index 2a7953d..e9b4834 100644
--- a/log4j-2.16.0/index.html
+++ b/log4j-2.16.0/index.html
@@ -159,7 +159,7 @@
<h1>Apache Log4j 2</h1>
<p>Apache Log4j 2 is an upgrade to Log4j that provides significant
improvements over its predecessor, Log4j 1.x, and provides many of the
improvements available in Logback while fixing some inherent problems in
Logback’s architecture.</p><section>
<h2><a name="Important:_Security_Vulnerability_CVE-2021-44228"></a><a
name="CVE-2021-44228"></a>Important: Security Vulnerability CVE-2021-44228</h2>
-<p>The Log4j team has been made aware of a security vulnerability,
CVE-2021-44228, that has been addressed in Log4j 2.15.0 and 2.16.0.</p>
+<p>The Log4j team has been made aware of a security vulnerability,
CVE-2021-44228, that has been addressed in Log4j 2.16.0.</p>
<p>Log4j’s JNDI support has not restricted what names could be
resolved. Some protocols are unsafe or can allow remote code execution.</p>
<p>One vector that allowed exposure to this vulnerability was Log4j’s
allowance of Lookups to appear in log messages. This meant that when user input
is logged, and that user input contained a JNDI Lookup pointing to a malicious
server, then Log4j would resolve that JNDI Lookup, connect to that server, and
potentially download serialized Java code from that remote server. This in turn
could execute any code during deserialization. This is known as a RCE (Remote
Code Execution) att [...]
<p>From version 2.16.0, the message lookups feature has been completely
removed. Lookups in configuration still work. Furthermore, Log4j now disables
access to JNDI by default. JNDI lookups in configuration now need to be enabled
explicitly. Also, Log4j now limits the protocols by default to only java, ldap,
and ldaps and limits the ldap protocols to only accessing Java primitive
objects. Hosts other than the local host need to be explicitly allowed.</p>
diff --git a/log4j-2.16.0/security.html b/log4j-2.16.0/security.html
index a6110fa..842612a 100644
--- a/log4j-2.16.0/security.html
+++ b/log4j-2.16.0/security.html
@@ -164,7 +164,7 @@
<p>If you need help on building or configuring Log4j or other help on
following the instructions to mitigate the known vulnerabilities listed here,
please send your questions to the public Log4j Users mailing list</p>
<p>If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has security impact, or if the descriptions here are
incomplete, please report them privately to the <a class="externalLink"
href="mailto:priv...@logging.apache.org";>Log4j Security Team</a>. Thank
you.</p><section><section>
<p><a name="CVE-2021-44228"></a> <a
name="cve-2021-44228"></a></p><section><section>
-<h3><a name="Fixed_in_Log4j_2.15.0_and_2.16.0"></a>Fixed in Log4j 2.15.0 and
2.16.0</h3><section>
+<h3><a name="Fixed_in_Log4j_2.15.0_and_2.16.0"></a>Fixed in Log4j
2.16.0</h3><section>
<h4><a name="CVE-2021-44228"></a>CVE-2021-44228</h4>
<p><a class="externalLink"
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228";>CVE-2021-44228</a>:
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP
and other JNDI related endpoints.</p>
<p>Severity: Critical</p>
