This is an automated email from the ASF dual-hosted git repository.
rpopma pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 2635ba6 Fix misspelled `formatMsgNoLookups`
2635ba6 is described below
commit 2635ba6b8676d05edaaf6f5969756915757d745f
Author: Remko Popma <rem...@yahoo.com>
AuthorDate: Thu Dec 16 12:53:19 2021 +0900
Fix misspelled `formatMsgNoLookups`
---
log4j-2.16.0/index.html | 2 +-
log4j-2.16.0/security.html | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/log4j-2.16.0/index.html b/log4j-2.16.0/index.html
index 11aa5f8..585023c 100644
--- a/log4j-2.16.0/index.html
+++ b/log4j-2.16.0/index.html
@@ -165,7 +165,7 @@
<p>Summary: Apache Log4j2 Thread Context Message Pattern and Context Lookup
Pattern vulnerable to a denial of service attack.</p><section><section>
<h4><a name="Details"></a>Details</h4>
<p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0
was incomplete in certain non-default configurations. This could allows
attackers with control over Thread Context Map (MDC) input data when the
logging configuration uses a Pattern Layout with either a Context Lookup (for
example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC)
to craft malicious input data using a JNDI Lookup pattern resulting in a denial
of service (DOS) attack. Log4j 2. [...]
-<p>Note that previous mitigations involving configuration such as setting the
system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific
vulnerability.</p></section><section>
+<p>Note that previous mitigations involving configuration such as setting the
system property log4j2.formatMsgNoLookups to true do NOT mitigate this specific
vulnerability.</p></section><section>
<h4><a name="Mitigation"></a>Mitigation</h4>
<p>In version 2.12.2 Log4j disables access to JNDI by default. Usage of JNDI
in configuration now need to be enabled explicitly. Calls to the JndiLookup
will now return a constant string. Also, Log4j now limits the protocols by
default to only java. The message lookups feature has been completely
removed.</p></section><section>
<p>In version 2.16.0 Log4j disables access to JNDI by default. JNDI lookups in
configuration now need to be enabled explicitly. Also, Log4j now limits the
protocols by default to only java, ldap, and ldaps and limits the ldap
protocols to only accessing Java primitive objects. Hosts other than the local
host need to be explicitly allowed. The message lookups feature has been
completely removed.</p></section><section>
diff --git a/log4j-2.16.0/security.html b/log4j-2.16.0/security.html
index 5c35fee..9756810 100644
--- a/log4j-2.16.0/security.html
+++ b/log4j-2.16.0/security.html
@@ -172,7 +172,7 @@
<p>Base CVSS Score: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)</p>
<p>Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0
through 2.15.0</p></section><section>
<h4><a name="Description"></a>Description</h4>
-<p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0
was incomplete in certain non-default configurations. This could allows
attackers with control over Thread Context Map (MDC) input data when the
logging configuration uses a non-default Pattern Layout with either a Context
Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X,
%mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern
resulting in a denial of service (DOS) atta [...]
+<p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0
was incomplete in certain non-default configurations. This could allows
attackers with control over Thread Context Map (MDC) input data when the
logging configuration uses a non-default Pattern Layout with either a Context
Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X,
%mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern
resulting in a denial of service (DOS) atta [...]
<h4><a name="Mitigation"></a>Mitigation</h4>
<p><b>Log4j 1.x mitigation</b>: Log4j 1.x is not impacted by this
vulnerability.</p>
<p><b>Log4j 2.x mitigation</b>: Implement one of the mitigation techniques
below.</p>
