You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rg...@apache.org on 2021/12/10 09:16:21 UTC

[logging-log4j-site] 01/04: Update to include CVE text

This is an automated email from the ASF dual-hosted git repository.

rgoers pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git

commit 76e66dcc35a068b6fc66b5deaabfb4016ea81186
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Thu Dec 9 23:26:04 2021 -0700

    Update to include CVE text
---
 log4j-2.15.0/index.html          | 16 ++++++++++++++++
 log4j-2.15.0/manual/layouts.html |  5 +++++
 log4j-2.15.0/security.html       | 10 ++++++++++
 3 files changed, 31 insertions(+)

diff --git a/log4j-2.15.0/index.html b/log4j-2.15.0/index.html
index fb80eb7..ee09c06 100644
--- a/log4j-2.15.0/index.html
+++ b/log4j-2.15.0/index.html
@@ -195,6 +195,22 @@
 <h2><a name="Requirements"></a>Requirements</h2>
 <p>Log4j 2.13.0 and greater require Java 8. Version 2.4 through 2.12.1 required Java 7 (the Log4j team no longer supports Java 7). Some features require optional dependencies; the documentation for these features will specify the required dependencies.</p></section><section>
 <h2><a name="News"></a>News</h2>
+<h3>CVE-2021-44228</h3>
+<p>The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.15.0.</p>
+
+<p>Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host.</p>
+
+<p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion users are strongly discouraged from enabling it.</p>
+
+<p>Users who cannot upgrade to 2.15.0 can mitigate the exposure by:
+<ul>
+<li>>Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups to a log4j2.component.properties file on the classpath to prevent lookups in log event messages.</li>
+<li>>Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.</li>
+<li>>Remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.</li>
+</ul>
+
+</p>
+<h3>Other News</h3>
 <p>Log4j 2.15.0 is now available for production. The API for Log4j 2 is not compatible with Log4j 1.x, however an adapter is available to allow applications to continue to use the Log4j 1.x API. Adapters are also available for Apache Commons Logging, SLF4J, and java.util.logging.</p>
 <p>Log4j 2.15.0 is the latest release of Log4j. As of Log4j 2.13.0 Log4j 2 requires Java 8 or greater at runtime. This release contains new features and fixes which can be found in the latest <a href="changes-report.html#a2.15.0">changes report</a>.</p>
 <p>Some of the new features in Log4j 2.15.0 include:</p>
diff --git a/log4j-2.15.0/manual/layouts.html b/log4j-2.15.0/manual/layouts.html
index a9d5d9e..eb7c557 100644
--- a/log4j-2.15.0/manual/layouts.html
+++ b/log4j-2.15.0/manual/layouts.html
@@ -2333,6 +2333,11 @@ WARN  [main]: Message 2</pre></div>
                   more obvious to handle the lookup in code.
                   This feature is disabled by default and the message string is logged untouched.
                 </p>
+                <p>
+                  <b>Note: </b>Users are <b>STRONGLY</b> discouraged from using the lookups option. Doing so may allow uncontrolled user input
+                  containing lookups to take unintended actions. In almost all cases the software developer can accomplish the same tasks
+                  lookups perform directly in the application code.
+                </p>
               </td>
             </tr>
             
diff --git a/log4j-2.15.0/security.html b/log4j-2.15.0/security.html
index e84a774..430d7a2 100644
--- a/log4j-2.15.0/security.html
+++ b/log4j-2.15.0/security.html
@@ -163,6 +163,16 @@
 <p>Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Apache Log4j version that you are using. For Log4j 2 this is BUILDING.md. This file can be found in the root subdirectory of a source distributive.</p>
 <p>If you need help on building or configuring Log4j or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Log4j Users mailing list</p>
 <p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the <a class="externalLink" href="mailto:private@logging.apache.org">Log4j Security Team</a>. Thank you.</p><section><section>
+<h3><a name="Fixed_in_Log4j_2.15.0"></a>Fixed in Log4j 2.15.0</h3>
+<p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a>:  Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.</p>
+<p>Severity: High</p>
+<p>Overall CVSS Score: 9.0 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:L/MI:H/MA:H</p>
+<p>Versions Affected: all versions from 2.0-beta9 to 2.14.1</p>
+<p>Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.</p>
+<p>Mitigation: In previous releases (>=2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against RCE by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trust [...]
+<p>Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.</p>
+<p>References: <a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3201">https://issues.apache.org/jira/browse/LOG4J2-3201</a> and 
+    <a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3198">https://issues.apache.org/jira/browse/LOG4J2-3198</a></p></section><section>
 <h3><a name="Fixed_in_Log4j_2.13.2"></a>Fixed in Log4j 2.13.2</h3>
 <p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488">CVE-2020-9488</a>:  Improper validation of certificate with host mismatch in Apache Log4j SMTP appender.</p>
 <p>Severity: Low</p>