You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Volkan Yazici (Jira)" <ji...@apache.org> on 2021/12/13 09:53:00 UTC

[jira] [Comment Edited] (LOG4J2-3214) update security page text for CVE-2021-44228

    [ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458244#comment-17458244 ] 

Volkan Yazici edited comment on LOG4J2-3214 at 12/13/21, 9:52 AM:
------------------------------------------------------------------

[~rpopma], great job! Thanks so much! Some remarks:
 # I have ordered the bullets in preference order.
 # I have used signs to precisely specify version ranges.
 # I would appreciate it if we can keep the formatting (code blocks, bulleting, etc.) while reflecting this back to {{index.html}} and {{{}security.html{}}}. (Note that > and < characters need to be quoted in HTML.)


was (Author: vy):
[~rpopma], great job! Thanks so much! Some remarks:
 # I have ordered the bullets in preference order.
 # I have used signs to precisely specify version ranges.
 # I would appreciate it if we can keep the formatting (code blocks, bulleting, etc.) while reflecting this back to {{security.html}}. (Note that > and < characters need to be quoted in HTML.)

> update security page text for CVE-2021-44228
> --------------------------------------------
>
>                 Key: LOG4J2-3214
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3214
>             Project: Log4j 2
>          Issue Type: Documentation
>    Affects Versions: 2.15.0
>            Reporter: Remko Popma
>            Priority: Major
>             Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet point list for improved readability.
> ----
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the below listed mitigation techniques, ordered from the most recommended approach to the least.
>  # Upgrade to a version >=2.15.0 or later
>  # For releases >=2.10,
>  ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
>  ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} (see [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
>  # For releases >=2.7 and <=2.14.1, modify your logging configuration to disable message lookups:
>  ** use {{{}%m{nolookups{}}}} instead of just {{%m}}
>  ** use {{{}%msg{nolookups{}}}} instead of just {{%msg}}
>  ** use {{{}%message{nolookups{}}}} instead of just {{%message}}
>  # For releases >=2.0-beta9 and <2.7, remove the {{JndiLookup}} class from the classpath: {{zip \-q \-d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class}}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)