[logging-log4j-site] branch asf-staging updated: Make it explicit that CVE-2021-4422 affects only log4j-core.

[vy...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

vy pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
     new 02b6f8d  Make it explicit that CVE-2021-4422 affects only log4j-core.
02b6f8d is described below

commit 02b6f8d088d4c534de765f1721a1e167c4b35449
Author: Volkan Yazıcı <vo...@yazi.ci>
AuthorDate: Sun Dec 12 20:13:35 2021 +0100

    Make it explicit that CVE-2021-4422 affects only log4j-core.
---
 log4j-2.15.1/security.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/log4j-2.15.1/security.html b/log4j-2.15.1/security.html
index adeed72..b217d65 100644
--- a/log4j-2.15.1/security.html
+++ b/log4j-2.15.1/security.html
@@ -167,9 +167,9 @@
 <p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-4422</a>:  Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.</p>
 <p>Severity: Critical</p>
 <p>Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</p>
-<p>Versions Affected: all versions from 2.0-beta9 to 2.14.1</p>
+<p>Versions Affected: all log4j-core versions from 2.0-beta9 to 2.14.1</p>
 <p>Descripton: Apache Log4j2 &lt;=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.</p>
-<p>Mitigation: In releases &gt;=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apa [...]
+<p>Mitigation: In releases &gt;=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.7 through 2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/ap [...]
 <p>Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.</p>
 <p>References: <a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3201">https://issues.apache.org/jira/browse/LOG4J2-3201</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3198">https://issues.apache.org/jira/browse/LOG4J2-3198</a>.</p></section><section>
 <h3><a name="Fixed_in_Log4j_2.13.2"></a>Fixed in Log4j 2.13.2</h3>