You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by vy...@apache.org on 2021/12/12 19:25:13 UTC
[logging-log4j-site] branch asf-site updated: Improve CVE-2021-4422 text.
This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 6ea5747 Improve CVE-2021-4422 text.
6ea5747 is described below
commit 6ea574799fdd1c497eb5fa4151dbb7d05cfb9638
Author: Volkan Yazıcı <vo...@yazi.ci>
AuthorDate: Sun Dec 12 20:24:59 2021 +0100
Improve CVE-2021-4422 text.
---
log4j-2.15.0/index.html | 2 +-
log4j-2.15.0/security.html | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/log4j-2.15.0/index.html b/log4j-2.15.0/index.html
index e8c7f62..b7ed4ea 100644
--- a/log4j-2.15.0/index.html
+++ b/log4j-2.15.0/index.html
@@ -202,7 +202,7 @@
<p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.</p>
-<p>For those who cannot upgrade to 2.15.0, in releases >=2.10, this vulnerability can be mitigated by setting either the system property <code>log4j2.formatMsgNoLookups</code> or the environment variable <code>LOG4J_FORMAT_MSG_NO_LOOKUPS</code> to <code>true</code>. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the <code>JndiLookup</code> class from the classpath: <code>zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class</code>.</p>
+<p>For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior can be mitigated by setting either the system property <code>log4j2.formatMsgNoLookups</code> or the environment variable <code>LOG4J_FORMAT_MSG_NO_LOOKUPS</code> to <code>true</code>. For releases >=2.7 and <=2.14.1, all <code>PatternLayout</code> patterns can be modified to specify the message converter as <code>%m{nolookups}</code> instead of just <code>%m</code>. For releases >=2.0-beta9 and < [...]
<h3>Other News</h3>
<p>Log4j 2.15.0 is now available for production. The API for Log4j 2 is not compatible with Log4j 1.x, however an adapter is available to allow applications to continue to use the Log4j 1.x API. Adapters are also available for Apache Commons Logging, SLF4J, and java.util.logging.</p>
diff --git a/log4j-2.15.0/security.html b/log4j-2.15.0/security.html
index 5135f10..f8587c9 100644
--- a/log4j-2.15.0/security.html
+++ b/log4j-2.15.0/security.html
@@ -167,9 +167,9 @@
<p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a>: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.</p>
<p>Severity: Critical</p>
<p>Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</p>
-<p>Versions Affected: all versions from 2.0-beta9 to 2.14.1</p>
-<p>Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.</p>
-<p>Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property <code>log4j2.formatMsgNoLookups</code> or the environment variable <code>LOG4J_FORMAT_MSG_NO_LOOKUPS</code> to <code>true</code>. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the <code>JndiLookup</code> class from the classpath: <code>zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class</code>.
+<p>Versions Affected: all <code>log4j-core</code> versions >=2.0-beta9 and <=2.14.1</p>
+<p>Descripton: Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.</p>
+<p>Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property <code>log4j2.formatMsgNoLookups</code> or the environment variable <code>LOG4J_FORMAT_MSG_NO_LOOKUPS</code> to <code>true</code>. For releases >=2.7 and <=2.14.1, all <code>PatternLayout</code> patterns can be modified to specify the message converter as <code>%m{nolookups}</code> instead of just <code>%m</code>. For releases >=2.0-beta9 and <=2.10.0, the mitigation is t [...]
<p>Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.</p>
<p>References: <a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3201">https://issues.apache.org/jira/browse/LOG4J2-3201</a> and
<a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3198">https://issues.apache.org/jira/browse/LOG4J2-3198</a></p></section><section>