You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by ck...@apache.org on 2021/12/18 01:24:36 UTC
[logging-log4j2] 03/16: Prep for releaes
This is an automated email from the ASF dual-hosted git repository.
ckozak pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 0b980aba0680e4984d64eb89e02d5c1561405202
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Fri Dec 17 16:03:27 2021 -0700
Prep for releaes
---
pom.xml | 6 +++---
src/site/markdown/index.md.vm | 6 ++++++
src/site/markdown/security.md | 16 ++++++----------
src/site/xdoc/manual/appenders.xml | 27 ---------------------------
src/site/xdoc/manual/configuration.xml.vm | 26 --------------------------
5 files changed, 15 insertions(+), 66 deletions(-)
diff --git a/pom.xml b/pom.xml
index 4ff075f..8003f1a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -188,13 +188,13 @@
<properties>
<!-- make sure to update these for each release! -->
<log4jParentDir>${basedir}</log4jParentDir>
- <Log4jReleaseVersion>2.16.0</Log4jReleaseVersion>
+ <Log4jReleaseVersion>2.17.0</Log4jReleaseVersion>
<Log4jReleaseVersionJava7>2.12.2</Log4jReleaseVersionJava7>
<Log4jReleaseVersionJava6>2.3</Log4jReleaseVersionJava6>
<!--Log4jReleaseManager>Ralph Goers</Log4jReleaseManager-->
<!--Log4jReleaseKey>B3D8E1BA</Log4jReleaseKey-->
- <Log4jReleaseManager>Matt Sicker</Log4jReleaseManager>
- <Log4jReleaseKey>748F15B2CF9BA8F024155E6ED7C92B70FA1C814D</Log4jReleaseKey>
+ <Log4jReleaseManager>Ralph Goers</Log4jReleaseManager>
+ <Log4jReleaseKey>B3D8E1BA</Log4jReleaseKey>
<!-- note that any properties you want available in velocity templates must not use periods! -->
<slf4jVersion>1.7.25</slf4jVersion>
<logbackVersion>1.2.3</logbackVersion>
diff --git a/src/site/markdown/index.md.vm b/src/site/markdown/index.md.vm
index 4e4502f..400ced9 100644
--- a/src/site/markdown/index.md.vm
+++ b/src/site/markdown/index.md.vm
@@ -45,6 +45,12 @@ $h4 Mitigation
From version 2.17.0 (for Java 8), only lookup strings in configuration are expanded recursively;
in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved.
+In prior releases this issue can be mitigated by ensuring your logging configuration does the following:
+* Replace Context Lookups like `$${ctx:loginId}` in PatternLayout with Thread Context Map patterns (%X, %mdc, or %MDC)
+ in the logging configuration.
+* Remove refrences to Context Lookups like `$${ctx:loginId}` in the configuration where they originate
+ from sources external to the application such as HTTP headers or user input.
+
$h4 Reference
Please refer to the [Security page](security.html#CVE-2021-45105) for details and mitigation measures for older versions of Log4j.
diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index f1a1e05..3409747 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -54,8 +54,8 @@ Apache Log4j2 does not always protect from infinite recursion in lookup evaluati
| [CVE-2021-45105](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105) | Denial of Service |
| --------------- | -------- |
-| Severity | XXXXX |
-| Base CVSS Score | X.X (XXXX) |
+| Severity | High |
+| Base CVSS Score | 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| Versions Affected | All versions from 2.0-beta9 to 2.16.0 |
### Description
@@ -64,13 +64,6 @@ When the logging configuration uses a non-default Pattern Layout with a Context
attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup,
resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.
-$h4 Mitigation
-From version 2.17.0 (for Java 8), only lookup strings in configuration are expanded recursively;
-in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved.
-Furthermore, error handling has been made more extensive, to catch all Throwables that arise in logging code instead of only Exceptions.
-Finally, when JNDI is enabled, it will only support the `java` protocol.
-The property to enable JNDI has been renamed to `log4j2.enableJndiJava` from `log4j2.enableJndi`.
-
### Mitigation
@@ -83,7 +76,10 @@ Log4j 1.x is not impacted by this vulnerability.
Implement one of the following mitigation techniques:
* Java 8 (or later) users should upgrade to release 2.17.0.
-* Replace Context Lookups like `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC) in the logging configuration.
+* Replace Context Lookups like `$${ctx:loginId}` in PatternLayout with Thread Context Map patterns (%X, %mdc, or %MDC)
+in the logging configuration.
+* Remove refrences to Context Lookups like `$${ctx:loginId}` in the configuration where they originate
+from sources external to the application such as HTTP headers or user input.
Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
diff --git a/src/site/xdoc/manual/appenders.xml b/src/site/xdoc/manual/appenders.xml
index 35d88c0..a59f2e4 100644
--- a/src/site/xdoc/manual/appenders.xml
+++ b/src/site/xdoc/manual/appenders.xml
@@ -1559,33 +1559,6 @@ public class ConnectionFactory {
<th>Description</th>
</tr>
<tr>
- <td>allowdLdapClasses</td>
- <td>String</td>
- <td>null</td>
- <td>
- A comma separated list of fully qualified class names that may be accessed by LDAP. The classes
- must implement Serializable. Only applies when the JMS Appender By default only Java primitive classes are allowed.
- </td>
- </tr>
- <tr>
- <td>allowdLdapHosts</td>
- <td>String</td>
- <td>null</td>
- <td>
- A comma separated list of host names or ip addresses that may be accessed by LDAP. By default only
- the local host names and ip addresses are allowed.
- </td>
- </tr>
- <tr>
- <td>allowdJndiProtocols</td>
- <td>String</td>
- <td>null</td>
- <td>
- A comma separated list of protocol names that JNDI will allow. By default only java, ldap, and ldaps
- are the only allowed protocols.
- </td>
- </tr>
- <tr>
<td>factoryBindingName</td>
<td>String</td>
<td><em>Required</em></td>
diff --git a/src/site/xdoc/manual/configuration.xml.vm b/src/site/xdoc/manual/configuration.xml.vm
index 2c1c315..86acc17 100644
--- a/src/site/xdoc/manual/configuration.xml.vm
+++ b/src/site/xdoc/manual/configuration.xml.vm
@@ -2173,32 +2173,6 @@ public class AwesomeTest {
</td>
</tr>
<tr>
- <td><a name="allowedLdapClasses"/>log4j2.allowedLdapClasses</td>
- <td>LOG4J_ALLOWED_LDAP_CLASSES</td>
- <td> </td>
- <td>
- System property that specifies fully qualified class names that may be accessed by LDAP. The classes
- must implement Serializable. By default only Java primitive classes are allowed.
- </td>
- </tr>
- <tr>
- <td><a name="allowedLdapHosts"/>log4j2.allowedLdapHosts</td>
- <td>LOG4J_ALLOWED_LDAP_HOSTS</td>
- <td> </td>
- <td>
- System property that adds host names or ip addresses that may be access by LDAP. By default it only allows
- the local host names and ip addresses.
- </td>
- </tr>
- <tr>
- <td><a name="allowedJndiProtocols"/>log4j2.allowedJndiProtocols</td>
- <td>LOG4J_ALLOWED_JNDI_PROTOCOLS</td>
- <td> </td>
- <td>
- System property that adds protocol names that JNDI will allow. By default it only allows java, ldap, and ldaps.
- </td>
- </tr>
- <tr>
<td><a name="uuidSequence"/>log4j2.uuidSequence
<br />
(<a name="org.apache.logging.log4j.uuidSequence"/>org.apache.logging.log4j.uuidSequence)