You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rg...@apache.org on 2022/01/17 20:39:43 UTC

[logging-log4j-site] branch asf-staging updated: update text

This is an automated email from the ASF dual-hosted git repository.

rgoers pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
     new 055a9fa  update text
055a9fa is described below

commit 055a9fadd8748ce5afb010fdbecc28abdcbfa93f
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Mon Jan 17 13:39:32 2022 -0700

    update text
---
 log4j-1.2.17/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/log4j-1.2.17/index.html b/log4j-1.2.17/index.html
index f2c8491..1dcf5cd 100644
--- a/log4j-1.2.17/index.html
+++ b/log4j-1.2.17/index.html
@@ -156,7 +156,7 @@
               <h2>End of Life</h2><p>On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life. For complete text of the announcement please see the <a href="http://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">Apache Blog</a>. Users of Log4j 1 are recommended to upgrade to <a class="externalLink" href="http://logging.apache.org/log4j/2.x/index.html">Apache Log4j 2</a>.</p>
               <h2>Security Vulnerabilities</h2>
                 <p>Since Log4j 1 is no longer maintained none of the issues listed will be fixed. Users are urged to upgrade to Log4j 2. More issues will be added to this list as they are reported.</p>
-                <p>A security vulnerability, <a href="https://www.cvedetails.com/cve/CVE-2019-17571/">CVE-2019-17571</a> has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. 
+                <p><a href="https://www.cvedetails.com/cve/CVE-2019-17571/">CVE-2019-17571</a> is a high severity issue targeting the SocketServer. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. 
                 This can provide an attack vector that can be expoited.</p>
                 <p><a href="https://www.cvedetails.com/cve/CVE-2020-9488/">CVE-2020-9488</a> is a moderate severity issue with the SMTPAppender. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.</p>
                 <p><a href="https://www.cvedetails.com/cve/CVE-2021-4104/">CVE-2021-4104</a> is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, he attacker can cause remote code execution by manipulating the data in the LDAP store.</p>