You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rg...@apache.org on 2021/12/11 16:32:17 UTC

[logging-log4j2] branch release-2.x updated: Add changes manually made to the web site

This is an automated email from the ASF dual-hosted git repository.

rgoers pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git


The following commit(s) were added to refs/heads/release-2.x by this push:
     new 5aa6e95  Add changes manually made to the web site
5aa6e95 is described below

commit 5aa6e959a85bfd2b81c5259347f1cc21ca2b04de
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Sat Dec 11 09:32:10 2021 -0700

    Add changes manually made to the web site
---
 src/changes/changes.xml             |  2 ++
 src/site/markdown/index.md.vm       | 19 +++++++++++++++++++
 src/site/markdown/security.md       | 28 ++++++++++++++++++++++++++++
 src/site/xdoc/manual/layouts.xml.vm |  7 ++++++-
 4 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 956a779..29acead 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -29,6 +29,8 @@
          - "update" - Change
          - "remove" - Removed
     -->
+    <release version="2.15.0" date="2021-12-XX" description="GA Release 2.15.1">
+    </release>
     <release version="2.15.0" date="2021-12-06" description="GA Release 2.15.0">
       <!-- ADDS -->
       <action issue="LOG4J2-3198" dev="ckozak" type="add">
diff --git a/src/site/markdown/index.md.vm b/src/site/markdown/index.md.vm
index fb596f6..a2ae172 100644
--- a/src/site/markdown/index.md.vm
+++ b/src/site/markdown/index.md.vm
@@ -136,6 +136,25 @@ Java 7). Some features require optional dependencies; the documentation for thes
 dependencies.
 
 $h2 News
+$h3 CVE-2021-44228
+
+The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.15.0.
+
+Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code
+execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only
+accessing Java primitive objects by default served on the local host.</p>
+
+One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of
+Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion,
+users are strongly discouraged from enabling it.
+
+For those who cannot upgrade to 2.15.0, in releases >=2.10, this vulnerability can be mitigated by setting either the
+system property `log4j2.formatMsgNoLookups` or the environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS` to `true`. For
+releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as
+`%m{nnolookups}` instead of just `%m`. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the
+`JndiLookup` class from the classpath:`zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`
+
+$h 3Other News
 
 Log4j $Log4jReleaseVersion is now available for production. The API for Log4j 2 is not compatible with Log4j 1.x, however an adapter is
 available to allow applications to continue to use the Log4j 1.x API. Adapters are also available for Apache Commons
diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index c4d156d..2e5eae7 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -45,6 +45,34 @@ If you have encountered an unlisted security vulnerability or other unexpected b
 that has security impact, or if the descriptions here are incomplete, please report them 
 privately to the [Log4j Security Team](mailto:private@logging.apache.org). Thank you.
 
+### Fixed in Log4j 2.15.0
+
+[CVE-2021-4422](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228):  Apache Log4j2 JNDI 
+features do not protect against attacker controlled LDAP and other JNDI related endpoints.
+
+Severity: Critical
+
+Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+
+Versions Affected: all versions from 2.0-beta9 to 2.14.1
+
+Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not 
+protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log 
+messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup 
+substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
+
+Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property 
+`log4j2.formatMsgNoLookups` or the environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS` to `true`.
+For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as
+`%m{nnolookups}` instead of just `%m`.
+For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the `JndiLookup` class from the classpath: 
+`zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`.
+
+Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.
+
+References: [https://issues.apache.org/jira/browse/LOG4J2-3201](https://issues.apache.org/jira/browse/LOG4J2-3201)
+and [https://issues.apache.org/jira/browse/LOG4J2-3198](https://issues.apache.org/jira/browse/LOG4J2-3198).
+
 ### Fixed in Log4j 2.13.2
 
 [CVE-2020-9488](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488):  Improper validation of certificate with host mismatch in Apache Log4j SMTP appender.
diff --git a/src/site/xdoc/manual/layouts.xml.vm b/src/site/xdoc/manual/layouts.xml.vm
index 8f0ed74..727ea1a 100644
--- a/src/site/xdoc/manual/layouts.xml.vm
+++ b/src/site/xdoc/manual/layouts.xml.vm
@@ -1460,7 +1460,7 @@ WARN  [main]: Message 2</pre>
             <tr>
               <td align="center">
                 <a name="PatternMessage"/>
-                <b>m</b>{ookups}{ansi}<br />
+                <b>m</b>{lookups}{ansi}<br />
                 <b>msg</b>{lookups}{ansi}<br />
                 <b>message</b>{lookups}{ansi}
               </td>
@@ -1504,6 +1504,11 @@ WARN  [main]: Message 2</pre>
                   more obvious to handle the lookup in code.
                   This feature is disabled by default and the message string is logged untouched.
                 </p>
+                <p>
+                  <b>Note: </b>Users are <b>STRONGLY</b> discouraged from using the lookups option. Doing so may allow uncontrolled user input
+                  containing lookups to take unintended actions. In almost all cases the software developer can accomplish the same tasks
+                  lookups perform directly in the application code.
+                </p>
               </td>
             </tr>
             <tr>