You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rp...@apache.org on 2021/12/20 08:23:26 UTC

[logging-log4j2] branch java6 updated: [DOC] Update log4j-2.3.x About page to mention security vulns and point to security page

This is an automated email from the ASF dual-hosted git repository.

rpopma pushed a commit to branch java6
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git


The following commit(s) were added to refs/heads/java6 by this push:
     new 6f0c11e  [DOC] Update log4j-2.3.x About page to mention security vulns and point to security page
6f0c11e is described below

commit 6f0c11e3baafe9c724e73d44f7d440efb3e491ba
Author: rpopma <rp...@apache.org>
AuthorDate: Mon Dec 20 17:23:15 2021 +0900

    [DOC] Update log4j-2.3.x About page to mention security vulns and point to security page
---
 src/site/xdoc/index.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 65 insertions(+), 1 deletion(-)

diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index 2d40323..b3e8f3f 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -27,7 +27,71 @@
     </properties>
 
     <body>
-        <section name="Apache Log4j 2">
+
+      <a name="CVE-2021-45105"/>
+      <h2>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>
+
+      <p>The Log4j team has been made aware of multiple security vulnerabilities, CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228,
+        that have been addressed in Log4j 2.3.1 for Java 6.
+        The same vulnerabilities have been addressed in Log4j 2.12.3 for Java 7, and in
+        Log4j 2.17.0 for Java 8 and up.</p>
+
+      <h3>CVE-2021-45105</h3>
+      <p>Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.</p>
+
+      <h4>Details</h4>
+      <p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.
+        When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>),
+        attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup,
+        resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.</p>
+
+      <h4>Mitigation</h4>
+      <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>
+
+      <h4>Reference</h4>
+      <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
+
+
+      <a name="CVE-2021-45046"/>
+      <h3>CVE-2021-45046</h3>
+
+      <p>Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.</p>
+
+      <h4>Details</h4>
+      <p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
+        When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>),
+        attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern,
+        resulting in an information leak and remote code execution in some environments and local code execution in all environments;
+        remote code execution has been demonstrated on macOS but no other tested environments.</p>
+
+      <h4>Mitigation</h4>
+      <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>
+
+      <h4>Reference</h4>
+      <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
+
+
+      <a name="CVE-2021-44228"/>
+      <h3>CVE-2021-44228</h3>
+
+      <p>Summary:
+        Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code
+        execution.</p>
+
+      <h4>Details</h4>
+      <p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages.
+        This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server,
+        then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from
+        that remote server. This in turn could execute any code during deserialization.
+        This is known as a RCE (Remote Code Execution) attack.</p>
+
+      <h4>Mitigation</h4>
+      <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>
+
+      <h4>Reference</h4>
+      <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
+
+      <section name="Apache Log4j 2">
 
           <p>
             Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j