You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rg...@apache.org on 2021/12/29 19:28:14 UTC
[logging-log4j2] branch log4j-2.3.2-site created (now 61d021b)
This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a change to branch log4j-2.3.2-site
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git.
at 61d021b Fixes for site
This branch includes the following new commits:
new 61d021b Fixes for site
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[logging-log4j2] 01/01: Fixes for site
Posted by rg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch log4j-2.3.2-site
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 61d021b89ba3b9cb65a2867dbbcce80420ad486d
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Wed Dec 29 12:27:48 2021 -0700
Fixes for site
---
src/changes/announcement.vm | 2 +
src/site/xdoc/index.xml | 67 +++++++------------------------
src/site/xdoc/manual/configuration.xml.vm | 4 --
3 files changed, 17 insertions(+), 56 deletions(-)
diff --git a/src/changes/announcement.vm b/src/changes/announcement.vm
index 6b06f36..df1f871 100644
--- a/src/changes/announcement.vm
+++ b/src/changes/announcement.vm
@@ -26,6 +26,8 @@ Log4j that provides significant improvements over its predecessor, Log4j 1.x, an
many other modern features such as support for Markers, property substitution using Lookups, and asynchronous
Loggers. In addition, Log4j 2 will not lose events while reconfiguring.
+The artifacts may be downloaded from https://logging.apache.org/log4j/log4j-$relVersion}/download.html.
+
The major changes contained in this release include:
* Address CVE-2021-45046 and CVE-2021-45105 by disabling recursive evaluation of Lookups during log event processing. Recursive evaluation is still allowed while generating the configuration.
diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index d289bf7..1af3008 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -28,68 +28,31 @@
<body>
- <a name="CVE-2021-45105"/>
- <h2>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>
-
- <p>The Log4j team has been made aware of multiple security vulnerabilities, CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228,
- that have been addressed in Log4j 2.3.1 for Java 6.
- The same vulnerabilities have been addressed in Log4j 2.12.3 for Java 7, and in
- Log4j 2.17.0 for Java 8 and up.</p>
+ <a name="CVE-2021-44832"/>
+ <h2>Important: Security Vulnerability CVE-2021-44832</h2>
- <h3>CVE-2021-45105</h3>
- <p>Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.</p>
+ Summary: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
<h4>Details</h4>
- <p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.
- When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>),
- attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup,
- resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.</p>
-
- <h4>Mitigation</h4>
- <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>
-
- <h4>Reference</h4>
- <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
-
-
- <a name="CVE-2021-45046"/>
- <h3>CVE-2021-45046</h3>
-
- <p>Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.</p>
- <h4>Details</h4>
- <p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
- When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>),
- attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern,
- resulting in an information leak and remote code execution in some environments and local code execution in all environments;
- remote code execution has been demonstrated on macOS but no other tested environments.</p>
+ Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to
+ a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can
+ construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute
+ remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1,
+ 2.12.4, and 2.3.2.
<h4>Mitigation</h4>
- <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>
+ Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later)
<h4>Reference</h4>
- <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
-
-
- <a name="CVE-2021-44228"/>
- <h3>CVE-2021-44228</h3>
-
- <p>Summary:
- Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code
- execution.</p>
-
- <h4>Details</h4>
- <p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages.
- This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server,
- then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from
- that remote server. This in turn could execute any code during deserialization.
- This is known as a RCE (Remote Code Execution) attack.</p>
+ Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832">Security Page</a>
+ for details and mitigation measures for older versions of Log4j.
- <h4>Mitigation</h4>
- <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>
+ <a name="CVE-2021-45105"/>
+ <h2>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>
- <h4>Reference</h4>
- <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
+ Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html">Security Page</a> for details
+ and mitigation measures for these security issues.
<section name="Apache Log4j 2">
diff --git a/src/site/xdoc/manual/configuration.xml.vm b/src/site/xdoc/manual/configuration.xml.vm
index c391da0..1e0b768 100644
--- a/src/site/xdoc/manual/configuration.xml.vm
+++ b/src/site/xdoc/manual/configuration.xml.vm
@@ -1377,7 +1377,6 @@ public class AwesomeTest {
</tr>
<tr>
<td><a name="enableJndiContextSelector"/>log4j2.enableJndiContextSelector</td>
- <td>LOG4J_ENABLE_JNDI_CONTEXT_SELECTOR</td>
<td>false</td>
<td>
When true, the Log4j context selector that uses the JNDI java protocol is enabled. When false, the default, they are disabled.
@@ -1385,7 +1384,6 @@ public class AwesomeTest {
</tr>
<tr>
<td><a name="enableJndiJdbc"/>log4j2.enableJndiJdbc</td>
- <td>LOG4J_ENABLE_JNDI_JDBC</td>
<td>false</td>
<td>
When true, a Log4j JDBC Appender configured with a <code>DataSource</code> which uses JNDI's java protocol is enabled. When false, the default, they are disabled.
@@ -1393,7 +1391,6 @@ public class AwesomeTest {
</tr>
<tr>
<td><a name="enableJndiJms"/>log4j2.enableJndiJms</td>
- <td>LOG4J_ENABLE_JNDI_JMS</td>
<td>false</td>
<td>
When true, a Log4j JMS Appender that uses JNDI's java protocol is enabled. When false, the default, they are disabled.
@@ -1401,7 +1398,6 @@ public class AwesomeTest {
</tr>
<tr>
<td><a name="enableJndiLookup"/>log4j2.enableJndiLookup</td>
- <td>LOG4J_ENABLE_JNDI_LOOKUP</td>
<td>false</td>
<td>
When true, a Log4j lookup that uses JNDI's java protocol is enabled. When false, the default, they are disabled.