You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rg...@apache.org on 2021/12/10 09:12:20 UTC
[logging-log4j-site] branch asf-staging updated: update severity
This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new cdc9fc4 update severity
cdc9fc4 is described below
commit cdc9fc4be9cdd593c1e2602d02106eb1157bd96d
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Fri Dec 10 02:12:10 2021 -0700
update severity
---
log4j-2.15.0/security.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/log4j-2.15.0/security.html b/log4j-2.15.0/security.html
index 59426b7..056123b 100644
--- a/log4j-2.15.0/security.html
+++ b/log4j-2.15.0/security.html
@@ -165,7 +165,7 @@
<p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the <a class="externalLink" href="mailto:private@logging.apache.org">Log4j Security Team</a>. Thank you.</p><section><section>
<h3><a name="Fixed_in_Log4j_2.15.0"></a>Fixed in Log4j 2.15.0</h3>
<p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a>: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.</p>
-<p>Severity: High</p>
+<p>Severity: Critical</p>
<p>Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</p>
<p>Versions Affected: all versions from 2.0-beta9 to 2.14.1</p>
<p>Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.</p>