This is an automated email from the ASF dual-hosted git repository. rpopma pushed a commit to branch release-2.x in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/release-2.x by this push: new fafe25d [DOC] update index and security page markdown with changes that were made directly to the site fafe25d is described below commit fafe25d0617e90d9ca376640087a1779a4d4e29d Author: rpopma <rpo...@apache.org> AuthorDate: Fri Dec 17 09:56:48 2021 +0900 [DOC] update index and security page markdown with changes that were made directly to the site --- src/site/markdown/index.md.vm | 34 +++++++++++++++++++++------------- src/site/markdown/security.md | 16 +++++++++++----- 2 files changed, 32 insertions(+), 18 deletions(-) diff --git a/src/site/markdown/index.md.vm b/src/site/markdown/index.md.vm index 3574ef2..848373a 100644 --- a/src/site/markdown/index.md.vm +++ b/src/site/markdown/index.md.vm @@ -29,13 +29,14 @@ provides many of the improvements available in Logback while fixing some inheren <a name="CVE-2021-45046"/> $h2 Important: Security Vulnerability CVE-2021-45046 -The Log4j team has been made aware of a security vulnerability, CVE-2021-45046, that has been addressed in Log4j 2.16.0. +The Log4j team has been made aware of a security vulnerability, CVE-2021-45046, that has been addressed in +Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8 and up. Summary: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack. $h4 Details It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default -configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging +configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a Pattern Layout with either a Context Lookup (for example, \$\$\{ctx:loginId\}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. @@ -44,13 +45,17 @@ Note that previous mitigations involving configuration such as setting the syste to `true` do NOT mitigate this specific vulnerability. $h4 Mitigation -In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. Usage of JNDI in configuration now need to be enabled explicitly. -Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. -The message lookups feature has been completely removed. - -From version 2.16.0 (for Java 8), Log4j disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. -Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap -protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed. +In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. +Usage of JNDI in configuration now needs to be enabled explicitly. +Calls to the JndiLookup will now return a constant string. +Also, Log4j now limits the protocols by default to only java. +The message lookups feature has been completely removed. Lookups in configuration still work. + +From version 2.16.0 (for Java 8), Log4j disables access to JNDI by default. +JNDI lookups in configuration now need to be enabled explicitly. +Also, Log4j now limits the protocols by default to only java, ldap, and ldaps +and limits the ldap protocols to only accessing Java primitive objects. +Hosts other than the local host need to be explicitly allowed. The message lookups feature has been completely removed. $h4 Reference @@ -60,7 +65,8 @@ Please refer to the [Security page](security.html#CVE-2021-45046) for details an <a name="CVE-2021-44228"/> $h2 Important: Security Vulnerability CVE-2021-44228 -The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.16.0. +The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed +in Log4j 2.12.2 and Log4j 2.16.0. $h4 Summary Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code @@ -74,9 +80,11 @@ that remote server. This in turn could execute any code during deserialization. This is known as a RCE (Remote Code Execution) attack. $h4 Mitigation -In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. Usage of JNDI in configuration now need to be enabled explicitly. -Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. -The message lookups feature has been completely removed. +In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. +Usage of JNDI in configuration now needs to be enabled explicitly. +Calls to the JndiLookup will now return a constant string. +Also, Log4j now limits the protocols by default to only java. +The message lookups feature has been completely removed. Lookups in configuration still work. From version 2.16.0 (for Java 8), the message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md index f854451..8addf4c 100644 --- a/src/site/markdown/security.md +++ b/src/site/markdown/security.md @@ -46,7 +46,7 @@ that has security impact, or if the descriptions here are incomplete, please rep privately to the [Log4j Security Team](mailto:priv...@logging.apache.org). Thank you. -## <a name="log4j-2.16.0"/> Fixed in Log4j 2.16.0 (Java 8) +## <a name="log4j-2.16.0"/> Fixed in Log4j 2.12.2 (Java 7) and Log4j 2.16.0 (Java 8) <a name="CVE-2021-45046"/><a name="cve-2021-45046"/> [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046): Apache Log4j2 @@ -79,6 +79,9 @@ Implement one of the following mitigation techniques: Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. +Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. +Other projects like Log4net and Log4cxx are not impacted by this. + ### History **Older (discredited) mitigation measures** @@ -124,11 +127,11 @@ features do not protect against attacker controlled LDAP and other JNDI related | Versions Affected | All versions from 2.0-beta9 to 2.14.1 | ### Description -In Apache Log4j2 versions up to and including 2.14.1, +In Apache Log4j2 versions up to and including 2.14.1 (excluding security release 2.12.2), the JNDI features used in configurations, log messages, and parameters do not -protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log -messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup -substitution is enabled. +protect against attacker-controlled LDAP and other JNDI related endpoints. +An attacker who can control log messages or log message parameters can execute +arbitrary code loaded from LDAP servers when message lookup substitution is enabled. ### Mitigation @@ -151,6 +154,9 @@ Implement one of the following mitigation techniques: Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. +Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. +Other projects like Log4net and Log4cxx are not impacted by this. + ### History #### Older (discredited) mitigation measures