You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@logging.apache.org by gg...@apache.org on 2021/12/15 12:47:09 UTC

[logging-log4j2] branch release-2.x updated: log4j2.noFormatMsgLookup -> log4j2.formatMsgNoLookups

This is an automated email from the ASF dual-hosted git repository.

ggregory pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git


The following commit(s) were added to refs/heads/release-2.x by this push:
     new ab2fb45  log4j2.noFormatMsgLookup -> log4j2.formatMsgNoLookups
ab2fb45 is described below

commit ab2fb451d248702880a231646dace6b3ec9d98c2
Author: Gary Gregory <ga...@gmail.com>
AuthorDate: Wed Dec 15 07:47:05 2021 -0500

    log4j2.noFormatMsgLookup -> log4j2.formatMsgNoLookups
---
 src/site/markdown/security.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index 14866ed..672b28b 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -1,4 +1,4 @@
-<!-- vim: set syn=markdown : -->
+log4j2.formatMsgNoLookups<!-- vim: set syn=markdown : -->
 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements. See the NOTICE file distributed with
@@ -61,7 +61,7 @@ Base CVSS Score: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
 Versions Affected: all versions from 2.0-beta9 to 2.15.0
 
 #### Description
-It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. [...]
+It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. [...]
 
 
 #### Mitigation