This is an automated email from the ASF dual-hosted git repository. rpopma pushed a commit to branch asf-staging in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push: new 2635ba6 Fix misspelled `formatMsgNoLookups` 2635ba6 is described below commit 2635ba6b8676d05edaaf6f5969756915757d745f Author: Remko Popma <rem...@yahoo.com> AuthorDate: Thu Dec 16 12:53:19 2021 +0900 Fix misspelled `formatMsgNoLookups` --- log4j-2.16.0/index.html | 2 +- log4j-2.16.0/security.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/log4j-2.16.0/index.html b/log4j-2.16.0/index.html index 11aa5f8..585023c 100644 --- a/log4j-2.16.0/index.html +++ b/log4j-2.16.0/index.html @@ -165,7 +165,7 @@ <p>Summary: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.</p><section><section> <h4><a name="Details"></a>Details</h4> <p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2. [...] -<p>Note that previous mitigations involving configuration such as setting the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.</p></section><section> +<p>Note that previous mitigations involving configuration such as setting the system property log4j2.formatMsgNoLookups to true do NOT mitigate this specific vulnerability.</p></section><section> <h4><a name="Mitigation"></a>Mitigation</h4> <p>In version 2.12.2 Log4j disables access to JNDI by default. Usage of JNDI in configuration now need to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed.</p></section><section> <p>In version 2.16.0 Log4j disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed. The message lookups feature has been completely removed.</p></section><section> diff --git a/log4j-2.16.0/security.html b/log4j-2.16.0/security.html index 5c35fee..9756810 100644 --- a/log4j-2.16.0/security.html +++ b/log4j-2.16.0/security.html @@ -172,7 +172,7 @@ <p>Base CVSS Score: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)</p> <p>Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0</p></section><section> <h4><a name="Description"></a>Description</h4> -<p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) atta [...] +<p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) atta [...] <h4><a name="Mitigation"></a>Mitigation</h4> <p><b>Log4j 1.x mitigation</b>: Log4j 1.x is not impacted by this vulnerability.</p> <p><b>Log4j 2.x mitigation</b>: Implement one of the mitigation techniques below.</p>