You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rp...@apache.org on 2021/12/21 09:02:42 UTC
[logging-log4j-site] branch asf-staging updated: Simplify About page in 2.3.1 and 2.12.3
This is an automated email from the ASF dual-hosted git repository.
rpopma pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 54a3c7e Simplify About page in 2.3.1 and 2.12.3
54a3c7e is described below
commit 54a3c7ee831d6d13c37d7c053fa2fc144ce39805
Author: Remko Popma <re...@yahoo.com>
AuthorDate: Tue Dec 21 18:02:33 2021 +0900
Simplify About page in 2.3.1 and 2.12.3
---
log4j-2.12.3/index.html | 99 +++++++++++++++-------------------
log4j-2.3.1/index.html | 141 ++++++++++++++----------------------------------
2 files changed, 82 insertions(+), 158 deletions(-)
diff --git a/log4j-2.12.3/index.html b/log4j-2.12.3/index.html
index 68708d4..7ea71ca 100644
--- a/log4j-2.12.3/index.html
+++ b/log4j-2.12.3/index.html
@@ -330,64 +330,49 @@
See the License for the specific language governing permissions and
limitations under the License. --><h1>Apache Log4j 2</h1>
<p>Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback’s architecture.</p>
-<p><a name="CVE-2021-45105"></a></p>
-<div class="section">
-<h2><a name="Important:_Security_Vulnerability_CVE-2021-45105"></a>Important: Security Vulnerability CVE-2021-45105</h2>
-<p>The Log4j team has been made aware of a security vulnerability, CVE-2021-45105, that has been addressed in Log4j 2.17.0 for Java 8 and up, and in Log4j 2.12.3 for Java 7.</p>
-<p>Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.</p>
-<div class="section">
-<div class="section">
-<h4><a name="Details"></a>Details</h4>
-<p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <tt>$${ctx:loginId}</tt>), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Se [...]
-<div class="section">
-<h4><a name="Mitigation"></a>Mitigation</h4>
-<p>From version 2.17.0 (for Java 8) and 2.12.3 (for Java 7), only lookup strings in configuration are expanded recursively; in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved.</p>
-<p>In prior releases this issue can be mitigated by ensuring your logging configuration does the following:</p>
-<ul>
-
-<li>In PatternLayout in the logging configuration, replace Context Lookups like <tt>${ctx:loginId}</tt>or <tt>$${ctx:loginId}</tt> with Thread Context Map patterns (%X, %mdc, or %MDC).</li>
-
-<li>Otherwise, in the configuration, remove references to Context Lookups like <tt>${ctx:loginId}</tt> or <tt>$${ctx:loginId}</tt> where they originate from sources external to the application such as HTTP headers or user input.</li>
-</ul></div>
-<div class="section">
-<h4><a name="Reference"></a>Reference</h4>
-<p>Please refer to the <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
-<p><a name="CVE-2021-45046"></a></p></div></div></div>
-<div class="section">
-<h2><a name="Important:_Security_Vulnerability_CVE-2021-45046"></a>Important: Security Vulnerability CVE-2021-45046</h2>
-<p>The Log4j team has been made aware of a security vulnerability, CVE-2021-45046, that has been addressed in Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8 and up.</p>
-<p>Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.</p>
-<div class="section">
-<div class="section">
-<h4><a name="Details"></a>Details</h4>
-<p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <tt>$${ctx:loginId}</tt>), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in [...]
-<p>Note that previous mitigations involving configuration such as setting the system property <tt>log4j2.formatMsgNoLookups</tt> to <tt>true</tt> do NOT mitigate this specific vulnerability.</p></div>
-<div class="section">
-<h4><a name="Mitigation"></a>Mitigation</h4>
-<p>In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. Usage of JNDI in configuration now needs to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed. Lookups in configuration still work.</p>
-<p>From version 2.16.0 (for Java 8), the message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. Users are advised not to enable JNDI in Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.</p></div>
-<div class="section">
-<h4><a name="Reference"></a>Reference</h4>
-<p>Please refer to the <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
-<p><a name="CVE-2021-44228"></a></p></div></div></div>
-<div class="section">
-<h2><a name="Important:_Security_Vulnerability_CVE-2021-44228"></a>Important: Security Vulnerability CVE-2021-44228</h2>
-<p>The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.12.2 and Log4j 2.16.0.</p>
-<div class="section">
-<div class="section">
-<h4><a name="Summary"></a>Summary</h4>
-<p>Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.</p></div>
-<div class="section">
-<h4><a name="Details"></a>Details</h4>
-<p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server, then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from that remote server. This in turn could execute any code during deserialization. This is known as a RCE (Remote Code Execution) att [...]
-<div class="section">
-<h4><a name="Mitigation"></a>Mitigation</h4>
-<p>In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. Usage of JNDI in configuration now needs to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed. Lookups in configuration still work.</p>
-<p>From version 2.16.0 (for Java 8), the message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. Users are advised not to enable JNDI in Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.</p></div>
-<div class="section">
-<h4><a name="Reference"></a>Reference</h4>
-<p>Please refer to the <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228">Security page</a> for mitigation measures for older versions of Log4j.</p></div></div></div>
+ <div class="section">
+ <h2><a name="Important:_Security_Vulnerabilities_CVE-2021-45105_CVE-2021-45046_and_CVE-2021-44228"></a>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>
+ <p><a name="CVE-2021-45105"></a></p>
+ <div class="section">
+ <h3><a name="CVE-2021-45105"></a>CVE-2021-45105</h3>
+ <p>Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.</p>
+ <div class="section">
+ <h4><a name="Details"></a>Details</h4>
+ <p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <tt>$${ctx:loginId}</tt>), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Den [...]
+ <div class="section">
+ <h4><a name="Mitigation"></a>Mitigation</h4>
+ <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).</p></div>
+ <div class="section">
+ <h4><a name="Reference"></a>Reference</h4>
+ <p>Please refer to the <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
+ <p><a name="CVE-2021-45046"></a></p></div></div>
+ <div class="section">
+ <h3><a name="CVE-2021-45046"></a>CVE-2021-45046</h3>
+ <p>Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.</p>
+ <div class="section">
+ <h4><a name="Details"></a>Details</h4>
+ <p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <tt>$${ctx:loginId}</tt>), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code exec [...]
+ <div class="section">
+ <h4><a name="Mitigation"></a>Mitigation</h4>
+ <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).</p></div>
+ <div class="section">
+ <h4><a name="Reference"></a>Reference</h4>
+ <p>Please refer to the <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
+ <p><a name="CVE-2021-44228"></a></p></div></div>
+ <div class="section">
+ <h3><a name="CVE-2021-44228"></a>CVE-2021-44228</h3>
+ <p>Summary: Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.</p>
+ <div class="section">
+ <h4><a name="Details"></a>Details</h4>
+ <p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server, then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from that remote server. This in turn could execute any code during deserialization. This is known as a RCE (Remote Code Execu [...]
+ <div class="section">
+ <h4><a name="Mitigation"></a>Mitigation</h4>
+ <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).</p></div>
+ <div class="section">
+ <h4><a name="Reference"></a>Reference</h4>
+ <p>Please refer to the <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228">Security page</a> for details and mitigation measures for older versions of Log4j.</p></div></div></div>
+
<div class="section">
<h2><a name="Features"></a>Features</h2>
<div class="section">
diff --git a/log4j-2.3.1/index.html b/log4j-2.3.1/index.html
index 19833bb..ec51099 100644
--- a/log4j-2.3.1/index.html
+++ b/log4j-2.3.1/index.html
@@ -272,109 +272,48 @@
limitations under the License. -->
- <a name="CVE-2021-45105"></a>
-
<div class="section">
-<h2><a name="Important:_Security_Vulnerabilities_CVE-2021-45105_CVE-2021-45046_and_CVE-2021-44228"></a>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>
+ <h2><a name="Important:_Security_Vulnerabilities_CVE-2021-45105_CVE-2021-45046_and_CVE-2021-44228"></a>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>
+ <p><a name="CVE-2021-45105"></a></p>
+ <div class="section">
+ <h3><a name="CVE-2021-45105"></a>CVE-2021-45105</h3>
+ <p>Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.</p>
+ <div class="section">
+ <h4><a name="Details"></a>Details</h4>
+ <p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <tt>$${ctx:loginId}</tt>), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of [...]
+ <div class="section">
+ <h4><a name="Mitigation"></a>Mitigation</h4>
+ <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).</p></div>
+ <div class="section">
+ <h4><a name="Reference"></a>Reference</h4>
+ <p>Please refer to the <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
+ <p><a name="CVE-2021-45046"></a></p></div></div>
+ <div class="section">
+ <h3><a name="CVE-2021-45046"></a>CVE-2021-45046</h3>
+ <p>Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.</p>
+ <div class="section">
+ <h4><a name="Details"></a>Details</h4>
+ <p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <tt>$${ctx:loginId}</tt>), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution [...]
+ <div class="section">
+ <h4><a name="Mitigation"></a>Mitigation</h4>
+ <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).</p></div>
+ <div class="section">
+ <h4><a name="Reference"></a>Reference</h4>
+ <p>Please refer to the <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
+ <p><a name="CVE-2021-44228"></a></p></div></div>
+ <div class="section">
+ <h3><a name="CVE-2021-44228"></a>CVE-2021-44228</h3>
+ <p>Summary: Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.</p>
+ <div class="section">
+ <h4><a name="Details"></a>Details</h4>
+ <p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server, then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from that remote server. This in turn could execute any code during deserialization. This is known as a RCE (Remote Code Execution) [...]
+ <div class="section">
+ <h4><a name="Mitigation"></a>Mitigation</h4>
+ <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).</p></div>
+ <div class="section">
+ <h4><a name="Reference"></a>Reference</h4>
+ <p>Please refer to the <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228">Security page</a> for details and mitigation measures for older versions of Log4j.</p></div></div></div>
-
-<p>The Log4j team has been made aware of multiple security vulnerabilities, CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228,
- that have been addressed in Log4j 2.3.1 for Java 6.
- The same vulnerabilities have been addressed in Log4j 2.12.3 for Java 7, and in
- Log4j 2.17.0 for Java 8 and up.</p>
-
-
-<div class="section">
-<h3><a name="CVE-2021-45105"></a>CVE-2021-45105</h3>
-
-<p>Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.</p>
-
-
-<div class="section">
-<h4><a name="Details"></a>Details</h4>
-
-<p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.
- When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <tt>$${ctx:loginId}</tt>),
- attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup,
- resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.</p>
-
- </div>
-<div class="section">
-<h4><a name="Mitigation"></a>Mitigation</h4>
-
-<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>
-
- </div>
-<div class="section">
-<h4><a name="Reference"></a>Reference</h4>
-
-<p>Please refer to the <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
-
-
- <a name="CVE-2021-45046"></a>
- </div></div>
-<div class="section">
-<h3><a name="CVE-2021-45046"></a>CVE-2021-45046</h3>
-
-
-<p>Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.</p>
-
-
-<div class="section">
-<h4><a name="Details"></a>Details</h4>
-
-<p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
- When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <tt>$${ctx:loginId}</tt>),
- attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern,
- resulting in an information leak and remote code execution in some environments and local code execution in all environments;
- remote code execution has been demonstrated on macOS but no other tested environments.</p>
-
- </div>
-<div class="section">
-<h4><a name="Mitigation"></a>Mitigation</h4>
-
-<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>
-
- </div>
-<div class="section">
-<h4><a name="Reference"></a>Reference</h4>
-
-<p>Please refer to the <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
-
-
- <a name="CVE-2021-44228"></a>
- </div></div>
-<div class="section">
-<h3><a name="CVE-2021-44228"></a>CVE-2021-44228</h3>
-
-
-<p>Summary:
- Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code
- execution.</p>
-
-
-<div class="section">
-<h4><a name="Details"></a>Details</h4>
-
-<p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages.
- This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server,
- then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from
- that remote server. This in turn could execute any code during deserialization.
- This is known as a RCE (Remote Code Execution) attack.</p>
-
- </div>
-<div class="section">
-<h4><a name="Mitigation"></a>Mitigation</h4>
-
-<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>
-
- </div>
-<div class="section">
-<h4><a name="Reference"></a>Reference</h4>
-
-<p>Please refer to the <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
-
- </div></div>
<div class="section">
<h2><a name="Apache_Log4j_2"></a>Apache Log4j 2</h2>