You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rg...@apache.org on 2021/12/29 19:30:15 UTC
[logging-log4j2] branch log4j-2.3.x updated: Fixes for site
This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch log4j-2.3.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/log4j-2.3.x by this push:
new 94c264c Fixes for site
94c264c is described below
commit 94c264c9d670a42be3dfbf6d4af0549950029d64
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Wed Dec 29 12:27:48 2021 -0700
Fixes for site
---
src/changes/announcement.vm | 2 +
src/site/xdoc/index.xml | 67 +++++++------------------------
src/site/xdoc/manual/configuration.xml.vm | 4 --
3 files changed, 17 insertions(+), 56 deletions(-)
diff --git a/src/changes/announcement.vm b/src/changes/announcement.vm
index 6b06f36..df1f871 100644
--- a/src/changes/announcement.vm
+++ b/src/changes/announcement.vm
@@ -26,6 +26,8 @@ Log4j that provides significant improvements over its predecessor, Log4j 1.x, an
many other modern features such as support for Markers, property substitution using Lookups, and asynchronous
Loggers. In addition, Log4j 2 will not lose events while reconfiguring.
+The artifacts may be downloaded from https://logging.apache.org/log4j/log4j-$relVersion}/download.html.
+
The major changes contained in this release include:
* Address CVE-2021-45046 and CVE-2021-45105 by disabling recursive evaluation of Lookups during log event processing. Recursive evaluation is still allowed while generating the configuration.
diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index d289bf7..1af3008 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -28,68 +28,31 @@
<body>
- <a name="CVE-2021-45105"/>
- <h2>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>
-
- <p>The Log4j team has been made aware of multiple security vulnerabilities, CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228,
- that have been addressed in Log4j 2.3.1 for Java 6.
- The same vulnerabilities have been addressed in Log4j 2.12.3 for Java 7, and in
- Log4j 2.17.0 for Java 8 and up.</p>
+ <a name="CVE-2021-44832"/>
+ <h2>Important: Security Vulnerability CVE-2021-44832</h2>
- <h3>CVE-2021-45105</h3>
- <p>Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.</p>
+ Summary: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
<h4>Details</h4>
- <p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.
- When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>),
- attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup,
- resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.</p>
-
- <h4>Mitigation</h4>
- <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>
-
- <h4>Reference</h4>
- <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
-
-
- <a name="CVE-2021-45046"/>
- <h3>CVE-2021-45046</h3>
-
- <p>Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.</p>
- <h4>Details</h4>
- <p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
- When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>),
- attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern,
- resulting in an information leak and remote code execution in some environments and local code execution in all environments;
- remote code execution has been demonstrated on macOS but no other tested environments.</p>
+ Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to
+ a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can
+ construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute
+ remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1,
+ 2.12.4, and 2.3.2.
<h4>Mitigation</h4>
- <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>
+ Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later)
<h4>Reference</h4>
- <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
-
-
- <a name="CVE-2021-44228"/>
- <h3>CVE-2021-44228</h3>
-
- <p>Summary:
- Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code
- execution.</p>
-
- <h4>Details</h4>
- <p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages.
- This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server,
- then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from
- that remote server. This in turn could execute any code during deserialization.
- This is known as a RCE (Remote Code Execution) attack.</p>
+ Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832">Security Page</a>
+ for details and mitigation measures for older versions of Log4j.
- <h4>Mitigation</h4>
- <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>
+ <a name="CVE-2021-45105"/>
+ <h2>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>
- <h4>Reference</h4>
- <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
+ Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html">Security Page</a> for details
+ and mitigation measures for these security issues.
<section name="Apache Log4j 2">
diff --git a/src/site/xdoc/manual/configuration.xml.vm b/src/site/xdoc/manual/configuration.xml.vm
index c391da0..1e0b768 100644
--- a/src/site/xdoc/manual/configuration.xml.vm
+++ b/src/site/xdoc/manual/configuration.xml.vm
@@ -1377,7 +1377,6 @@ public class AwesomeTest {
</tr>
<tr>
<td><a name="enableJndiContextSelector"/>log4j2.enableJndiContextSelector</td>
- <td>LOG4J_ENABLE_JNDI_CONTEXT_SELECTOR</td>
<td>false</td>
<td>
When true, the Log4j context selector that uses the JNDI java protocol is enabled. When false, the default, they are disabled.
@@ -1385,7 +1384,6 @@ public class AwesomeTest {
</tr>
<tr>
<td><a name="enableJndiJdbc"/>log4j2.enableJndiJdbc</td>
- <td>LOG4J_ENABLE_JNDI_JDBC</td>
<td>false</td>
<td>
When true, a Log4j JDBC Appender configured with a <code>DataSource</code> which uses JNDI's java protocol is enabled. When false, the default, they are disabled.
@@ -1393,7 +1391,6 @@ public class AwesomeTest {
</tr>
<tr>
<td><a name="enableJndiJms"/>log4j2.enableJndiJms</td>
- <td>LOG4J_ENABLE_JNDI_JMS</td>
<td>false</td>
<td>
When true, a Log4j JMS Appender that uses JNDI's java protocol is enabled. When false, the default, they are disabled.
@@ -1401,7 +1398,6 @@ public class AwesomeTest {
</tr>
<tr>
<td><a name="enableJndiLookup"/>log4j2.enableJndiLookup</td>
- <td>LOG4J_ENABLE_JNDI_LOOKUP</td>
<td>false</td>
<td>
When true, a Log4j lookup that uses JNDI's java protocol is enabled. When false, the default, they are disabled.