[logging-log4j2] branch release-2.x updated: [DOC] update index page markdown with changes that were made directly to the site

[rp...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

rpopma pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git


The following commit(s) were added to refs/heads/release-2.x by this push:
     new cfdc346  [DOC] update index page markdown with changes that were made directly to the site
cfdc346 is described below

commit cfdc346f4089e444db10aea3b099bdbea00636ac
Author: rpopma <rp...@apache.org>
AuthorDate: Fri Dec 17 08:41:32 2021 +0900

    [DOC] update index page markdown with changes that were made directly to the site
---
 src/site/markdown/index.md.vm | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/site/markdown/index.md.vm b/src/site/markdown/index.md.vm
index 8e6fc69..3574ef2 100644
--- a/src/site/markdown/index.md.vm
+++ b/src/site/markdown/index.md.vm
@@ -44,7 +44,11 @@ Note that previous mitigations involving configuration such as setting the syste
 to `true` do NOT mitigate this specific vulnerability.
 
 $h4 Mitigation
-From version 2.16.0, Log4j disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly.
+In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. Usage of JNDI in configuration now need to be enabled explicitly.
+Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java.
+The message lookups feature has been completely removed.
+
+From version 2.16.0 (for Java 8), Log4j disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly.
 Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap
 protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed.
 The message lookups feature has been completely removed.
@@ -70,7 +74,11 @@ that remote server. This in turn could execute any code during deserialization.
 This is known as a RCE (Remote Code Execution) attack.
 
 $h4 Mitigation
-From version 2.16.0, the message lookups feature has been completely removed. Lookups in configuration still work.
+In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. Usage of JNDI in configuration now need to be enabled explicitly.
+Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java.
+The message lookups feature has been completely removed.
+
+From version 2.16.0 (for Java 8), the message lookups feature has been completely removed. Lookups in configuration still work.
 Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly.
 Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap
 protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed.