You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by gg...@apache.org on 2021/12/15 12:47:09 UTC
[logging-log4j2] branch release-2.x updated: log4j2.noFormatMsgLookup -> log4j2.formatMsgNoLookups
This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/release-2.x by this push:
new ab2fb45 log4j2.noFormatMsgLookup -> log4j2.formatMsgNoLookups
ab2fb45 is described below
commit ab2fb451d248702880a231646dace6b3ec9d98c2
Author: Gary Gregory <ga...@gmail.com>
AuthorDate: Wed Dec 15 07:47:05 2021 -0500
log4j2.noFormatMsgLookup -> log4j2.formatMsgNoLookups
---
src/site/markdown/security.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index 14866ed..672b28b 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -1,4 +1,4 @@
-<!-- vim: set syn=markdown : -->
+log4j2.formatMsgNoLookups<!-- vim: set syn=markdown : -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
@@ -61,7 +61,7 @@ Base CVSS Score: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Versions Affected: all versions from 2.0-beta9 to 2.15.0
#### Description
-It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. [...]
+It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. [...]
#### Mitigation