You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rp...@apache.org on 2021/12/14 15:03:20 UTC
[logging-log4j-site] branch asf-staging updated: [DOC] Add Work In Progress notice and credit Kai Mindermann
This is an automated email from the ASF dual-hosted git repository.
rpopma pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new c4aafe0 [DOC] Add Work In Progress notice and credit Kai Mindermann
c4aafe0 is described below
commit c4aafe0b3a75f2e42538a9c940c66860f4b7fa83
Author: Remko Popma <re...@yahoo.com>
AuthorDate: Wed Dec 15 00:03:11 2021 +0900
[DOC] Add Work In Progress notice and credit Kai Mindermann
---
log4j-2.16.0/security.html | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/log4j-2.16.0/security.html b/log4j-2.16.0/security.html
index 842612a..ae92f77 100644
--- a/log4j-2.16.0/security.html
+++ b/log4j-2.16.0/security.html
@@ -192,8 +192,11 @@
<p><b>Release Details</b></p>
<p>As of Log4j 2.15.0 the message lookups feature was disabled by default. Lookups in configuration still work. While Log4j 2.15.0 has an option to enable Lookups in this fashion, users are strongly discouraged from enabling it. A whitelisting mechanism was introduced for JNDI connections, allowing only localhost by default.</p>
<p>From version 2.16.0, the message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed.</p></section><section>
+<h4><a name="Work_in_progress"></a>Work in progress</h4>
+<p>The Log4j team will continue to actively update this page as more information becomes known.</p></section><section>
<h4><a name="Credit"></a>Credit</h4>
-<p>This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.</p></section><section>
+<p>This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.</p>
+<p>The ThreadContext attack vector was first discovered by Kai Mindermann of iC Consult.</p></section><section>
<h4><a name="References"></a>References</h4>
<p><a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3201">https://issues.apache.org/jira/browse/LOG4J2-3201</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3198">https://issues.apache.org/jira/browse/LOG4J2-3198</a>.</p></section></section><section>