This is an automated email from the ASF dual-hosted git repository.
rpopma pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/release-2.x by this push:
new fafe25d [DOC] update index and security page markdown with changes
that were made directly to the site
fafe25d is described below
commit fafe25d0617e90d9ca376640087a1779a4d4e29d
Author: rpopma <rpo...@apache.org>
AuthorDate: Fri Dec 17 09:56:48 2021 +0900
[DOC] update index and security page markdown with changes that were made
directly to the site
---
src/site/markdown/index.md.vm | 34 +++++++++++++++++++++-------------
src/site/markdown/security.md | 16 +++++++++++-----
2 files changed, 32 insertions(+), 18 deletions(-)
diff --git a/src/site/markdown/index.md.vm b/src/site/markdown/index.md.vm
index 3574ef2..848373a 100644
--- a/src/site/markdown/index.md.vm
+++ b/src/site/markdown/index.md.vm
@@ -29,13 +29,14 @@ provides many of the improvements available in Logback
while fixing some inheren
<a name="CVE-2021-45046"/>
$h2 Important: Security Vulnerability CVE-2021-45046
-The Log4j team has been made aware of a security vulnerability,
CVE-2021-45046, that has been addressed in Log4j 2.16.0.
+The Log4j team has been made aware of a security vulnerability,
CVE-2021-45046, that has been addressed in
+Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8 and up.
Summary: Apache Log4j2 Thread Context Message Pattern and Context Lookup
Pattern vulnerable to a denial of service attack.
$h4 Details
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was
incomplete in certain non-default
-configurations. This could allows attackers with control over Thread Context
Map (MDC) input data when the logging
+configurations. This could allow attackers with control over Thread Context
Map (MDC) input data when the logging
configuration uses a Pattern Layout with either a Context Lookup (for example,
\$\$\{ctx:loginId\}) or a
Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data
using a JNDI Lookup pattern
resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI
LDAP lookups to localhost by default.
@@ -44,13 +45,17 @@ Note that previous mitigations involving configuration such
as setting the syste
to `true` do NOT mitigate this specific vulnerability.
$h4 Mitigation
-In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default.
Usage of JNDI in configuration now need to be enabled explicitly.
-Calls to the JndiLookup will now return a constant string. Also, Log4j now
limits the protocols by default to only java.
-The message lookups feature has been completely removed.
-
-From version 2.16.0 (for Java 8), Log4j disables access to JNDI by default.
JNDI lookups in configuration now need to be enabled explicitly.
-Also, Log4j now limits the protocols by default to only java, ldap, and ldaps
and limits the ldap
-protocols to only accessing Java primitive objects. Hosts other than the local
host need to be explicitly allowed.
+In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default.
+Usage of JNDI in configuration now needs to be enabled explicitly.
+Calls to the JndiLookup will now return a constant string.
+Also, Log4j now limits the protocols by default to only java.
+The message lookups feature has been completely removed. Lookups in
configuration still work.
+
+From version 2.16.0 (for Java 8), Log4j disables access to JNDI by default.
+JNDI lookups in configuration now need to be enabled explicitly.
+Also, Log4j now limits the protocols by default to only java, ldap, and ldaps
+and limits the ldap protocols to only accessing Java primitive objects.
+Hosts other than the local host need to be explicitly allowed.
The message lookups feature has been completely removed.
$h4 Reference
@@ -60,7 +65,8 @@ Please refer to the [Security
page](security.html#CVE-2021-45046) for details an
<a name="CVE-2021-44228"/>
$h2 Important: Security Vulnerability CVE-2021-44228
-The Log4j team has been made aware of a security vulnerability,
CVE-2021-44228, that has been addressed in Log4j 2.16.0.
+The Log4j team has been made aware of a security vulnerability,
CVE-2021-44228, that has been addressed
+in Log4j 2.12.2 and Log4j 2.16.0.
$h4 Summary
Log4j’s JNDI support has not restricted what names could be resolved. Some
protocols are unsafe or can allow remote code
@@ -74,9 +80,11 @@ that remote server. This in turn could execute any code
during deserialization.
This is known as a RCE (Remote Code Execution) attack.
$h4 Mitigation
-In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default.
Usage of JNDI in configuration now need to be enabled explicitly.
-Calls to the JndiLookup will now return a constant string. Also, Log4j now
limits the protocols by default to only java.
-The message lookups feature has been completely removed.
+In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default.
+Usage of JNDI in configuration now needs to be enabled explicitly.
+Calls to the JndiLookup will now return a constant string.
+Also, Log4j now limits the protocols by default to only java.
+The message lookups feature has been completely removed. Lookups in
configuration still work.
From version 2.16.0 (for Java 8), the message lookups feature has been
completely removed. Lookups in configuration still work.
Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in
configuration now need to be enabled explicitly.
diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index f854451..8addf4c 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -46,7 +46,7 @@ that has security impact, or if the descriptions here are
incomplete, please rep
privately to the [Log4j Security Team](mailto:priv...@logging.apache.org).
Thank you.
-## <a name="log4j-2.16.0"/> Fixed in Log4j 2.16.0 (Java 8)
+## <a name="log4j-2.16.0"/> Fixed in Log4j 2.12.2 (Java 7) and Log4j 2.16.0
(Java 8)
<a name="CVE-2021-45046"/><a name="cve-2021-45046"/>
[CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046):
Apache Log4j2
@@ -79,6 +79,9 @@ Implement one of the following mitigation techniques:
Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR file
are not impacted by this vulnerability.
+Also note that Apache Log4j is the only Logging Services subproject affected
by this vulnerability.
+Other projects like Log4net and Log4cxx are not impacted by this.
+
### History
**Older (discredited) mitigation measures**
@@ -124,11 +127,11 @@ features do not protect against attacker controlled LDAP
and other JNDI related
| Versions Affected | All versions from 2.0-beta9 to 2.14.1 |
### Description
-In Apache Log4j2 versions up to and including 2.14.1,
+In Apache Log4j2 versions up to and including 2.14.1 (excluding security
release 2.12.2),
the JNDI features used in configurations, log messages, and parameters do not
-protect against attacker-controlled LDAP and other JNDI related endpoints. An
attacker who can control log
-messages or log message parameters can execute arbitrary code loaded from LDAP
servers when message lookup
-substitution is enabled.
+protect against attacker-controlled LDAP and other JNDI related endpoints.
+An attacker who can control log messages or log message parameters can execute
+arbitrary code loaded from LDAP servers when message lookup substitution is
enabled.
### Mitigation
@@ -151,6 +154,9 @@ Implement one of the following mitigation techniques:
Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR file
are not impacted by this vulnerability.
+Also note that Apache Log4j is the only Logging Services subproject affected
by this vulnerability.
+Other projects like Log4net and Log4cxx are not impacted by this.
+
### History
#### Older (discredited) mitigation measures
