You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by ck...@apache.org on 2021/12/18 01:24:38 UTC

[logging-log4j2] 05/16: [DOC] fix typos and rephrase mitigation for CVE-2021-45105

This is an automated email from the ASF dual-hosted git repository.

ckozak pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git

commit 5476a16845cb0b98e0eec711b11d0df8f41fb71d
Author: Remko Popma <re...@yahoo.com>
AuthorDate: Sat Dec 18 08:30:51 2021 +0900

    [DOC] fix typos and rephrase mitigation for CVE-2021-45105
---
 src/site/markdown/index.md.vm | 6 ++----
 src/site/markdown/security.md | 8 +++++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/site/markdown/index.md.vm b/src/site/markdown/index.md.vm
index b96e581..74ae75a 100644
--- a/src/site/markdown/index.md.vm
+++ b/src/site/markdown/index.md.vm
@@ -46,10 +46,8 @@ From version 2.17.0 (for Java 8), only lookup strings in configuration are expan
 in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved.
 
 In prior releases this issue can be mitigated by ensuring your logging configuration does the following:
-* Replace Context Lookups like `${dollar}${dollar}{ctx:loginId}` in PatternLayout with Thread Context Map patterns (%X, %mdc, or %MDC)
-  in the logging configuration.
-* Remove refrences to Context Lookups like `${dollar}${dollar}{ctx:loginId}` in the configuration where they originate
-  from sources external to the application such as HTTP headers or user input.
+* In PatternLayout in the logging configuration, replace Context Lookups like `${dollar}{ctx:loginId}`or `${dollar}${dollar}{ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC).
+* Otherwise, in the configuration, remove references to Context Lookups like `${dollar}{ctx:loginId}` or `${dollar}${dollar}{ctx:loginId}` where they originate from sources external to the application such as HTTP headers or user input.
 
 $h4 Reference
 Please refer to the [Security page](security.html#CVE-2021-45105) for details and mitigation measures for older versions of Log4j.
diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index 3409747..9b04065 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -76,9 +76,11 @@ Log4j 1.x is not impacted by this vulnerability.
 Implement one of the following mitigation techniques:
 
 * Java 8 (or later) users should upgrade to release 2.17.0.
-* Replace Context Lookups like `$${ctx:loginId}` in PatternLayout with Thread Context Map patterns (%X, %mdc, or %MDC) 
-in the logging configuration.
-* Remove refrences to Context Lookups like `$${ctx:loginId}` in the configuration where they originate 
+
+Alternatively, this can be mitigated in configuration:
+
+* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC).
+* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate 
 from sources external to the application such as HTTP headers or user input.
 
 Note that only the log4j-core JAR file is impacted by this vulnerability.