You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/12/09 21:18:15 UTC

[GitHub] [logging-log4j2] remkop commented on pull request #608: Restrict LDAP access via JNDI

remkop commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990264908


   > > > > > Is it a security vulnerability?
   > > > > 
   > > > > 
   > > > > I think it is.
   > > > > It is very surprising that this critical security issue does not seem to have received due attention. It was reported to Apache half a month ago, but it was not fixed until five days ago. Even today, it has not released a new stable version to solve it.
   > > > 
   > > > 
   > > > Oh so glad you show such appreciation for the work of volunteers...
   > > 
   > > 
   > > @garydgregory
   > > I wonder when log4j 2.15 will be officially released? It's hard to imagine that the craziest vulnerability this year has not been solved in the release half a month after it was reported.
   > > Its impact is unimaginable. Countless services using log4j2 are exposed to the risk of being attacked, and the way to attack them is surprisingly simple. Even now I dare not open my minecraft server, because any member can attack it if they want - he/she can easily control my server by sending a text through the chat bar.
   > > Is there anyone dealing with this matter urgently? It's really incomprehensible that I didn't see Apache give any emergency warning under such a serious problem.
   > 
   > +1, and we are in desperate need of a CVE and security advisory to be announced asap. This could affect hundreds of thousands, if not millions, of services actively running on the internet.
   > 
   > We of course appreciate the efforts from contributors, but overall this is a major security issue that needs a new version release and a security advisory.
   
   My understanding is that the procedure is to hold off on announcing the vulnerability until a patch is available. (See https://www.apache.org/security/).
   
   For background:
   
   The team is taking it seriously. As Gary said, we are all volunteers working on this in our spare time. We are also in different time zones so communication is not instantaneous. If you think things can be improved, that's great! We need more people like you and I would encourage you to [get involved](https://community.apache.org/)!
   
   We are in the process of getting a release out with the fix. During review, some security experts found a new vulnerability in our fix (a way to bypass the fix). This has been addressed and we are now in the process of reviewing the updated 2nd release candidate.
   
   Usually (as per ASF rules) the team [should wait 72 hours](https://www.apache.org/legal/release-policy.html#release-approval) after creating a release candidate before publishing the release to give the community enough time to review and cast their votes. We are building consensus to shorten that window for this particular release, given its urgency.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org