You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rg...@apache.org on 2022/01/17 20:05:55 UTC
[logging-log4j-site] branch asf-staging updated (a615aba -> e49ef77)
This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a change to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git.
from a615aba Stage Log4j Scala API 12.1-rc2 site
new d9c6240 Add security issue descriptions
new e49ef77 Update descriptions
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
log4j-1.2.17/index.html | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
[logging-log4j-site] 01/02: Add security issue descriptions
Posted by rg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
commit d9c6240b695501be02b1db88bd8f666d52a368e4
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Mon Jan 17 12:42:40 2022 -0700
Add security issue descriptions
---
log4j-1.2.17/index.html | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/log4j-1.2.17/index.html b/log4j-1.2.17/index.html
index 5cd6273..206ea6e 100644
--- a/log4j-1.2.17/index.html
+++ b/log4j-1.2.17/index.html
@@ -155,10 +155,18 @@
<div class="section">
<h2>End of Life</h2><p>On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life. For complete text of the announcement please see the <a href="http://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">Apache Blog</a>. Users of Log4j 1 are recommended to upgrade to <a class="externalLink" href="http://logging.apache.org/log4j/2.x/index.html">Apache Log4j 2</a>.</p>
<h2>Security Vulnerabilities</h2>
+ <p>Since Log4j 1 is no longer maintained none of the issues listed will be fixed. Users are urged to upgrade to Log4j 2. More issues will be added to this list as they are reported.</p>
<p>A security vulnerability, <a href="https://www.cvedetails.com/cve/CVE-2019-17571/">CVE-2019-17571</a> has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not.
- This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.</p>
+ This can provide an attack vector that can be expoited.</p>
+ <p><a href="https://www.cvedetails.com/cve/CVE-2020-9488/">CVE-2020-9488</a> is a moderate severity issue with the SMTPAppender. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.</p>
+ <p><a href="https://www.cvedetails.com/cve/CVE-2021-4104/">CVE-2021-4104</a> is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, he attacker can cause remote code execution by manipulating the data in the LDAP store.</p>
+ <p><a href="https://www.cvedetails.com/cve/CVE-2022-23302/">CVE-2022-23302</a> is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, he attacker can cause remote code execution by manipulating the data in the LDAP store.</p>
+ <p><a href="https://www.cvedetails.com/cve/CVE-2022-23305/">CVE-2022-23305</a> is a high serverity SQL injection flaw in JDBCAppender that is similar to CVE-2022-44228 in that it allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts a query string as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This [...]
+ <p><a href="https://www.cvedetails.com/cve/CVE-2022-23307/">CVE-2022-23307</a> is a critical severity against the chainsaw component in Log4j 1.x. This is the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of Log4j 1.2.x.</p>
<h2>Java Version Incompatibilities</h2>
<p>The version detection algorithm changed in Java 9 which causes the MDC not to work properly. See <a href="https://blogs.apache.org/logging/entry/moving_on_to_log4j_2">Log4j 1.2 is broken on Java 9</a> for details.</p>
+ <h2>Other issues of note</h2>
+ <p>Log4j 1 doesn't restrict DTD entities in log4j.xml. Users should be careful to ensure any entities specified are correct and secure.</p>
<h2>Apache log4j™ 1.2<a name="Apache_log4j_1.2"></a></h2><p>Welcome to Apache log4j, a logging library for Java. Apache log4j is an Apache Software Foundation Project and developed by a dedicated team of Committers of the Apache Software Foundation. For more info, please see <a class="externalLink" href="http://www.apache.org">The Apache Software Foundation</a>. Apache log4j is also part of a project which is known as <a class="externalLink" href="http://logging.apac [...]
<div class="section"><h3>Why logging?<a name="Why_logging"></a></h3><p>Inserting log statements into your code is a low-tech method for debugging it. It may also be the only way because debuggers are not always available or applicable. This is often the case for distributed applications.</p><p>On the other hand, some people argue that log statements pollute source code and decrease legibility. (We believe that the contrary is true). In the Java language where a preprocessor [...]
<div class="section"><h3>Why log4j?<a name="Why_log4j"></a></h3><p>With log4j it is possible to enable logging at runtime without modifying the application binary. The log4j package is designed so that these statements can remain in shipped code without incurring a heavy performance cost. Logging behavior can be controlled by editing a configuration file, without touching the application binary.</p><p>Logging equips the developer with detailed context for application failur [...]
[logging-log4j-site] 02/02: Update descriptions
Posted by rg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
commit e49ef7755bb3067f9094bcd0bf183cb45cf665fc
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Mon Jan 17 13:05:14 2022 -0700
Update descriptions
---
log4j-1.2.17/index.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/log4j-1.2.17/index.html b/log4j-1.2.17/index.html
index 206ea6e..f2c8491 100644
--- a/log4j-1.2.17/index.html
+++ b/log4j-1.2.17/index.html
@@ -161,7 +161,7 @@
<p><a href="https://www.cvedetails.com/cve/CVE-2020-9488/">CVE-2020-9488</a> is a moderate severity issue with the SMTPAppender. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.</p>
<p><a href="https://www.cvedetails.com/cve/CVE-2021-4104/">CVE-2021-4104</a> is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, he attacker can cause remote code execution by manipulating the data in the LDAP store.</p>
<p><a href="https://www.cvedetails.com/cve/CVE-2022-23302/">CVE-2022-23302</a> is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, he attacker can cause remote code execution by manipulating the data in the LDAP store.</p>
- <p><a href="https://www.cvedetails.com/cve/CVE-2022-23305/">CVE-2022-23305</a> is a high serverity SQL injection flaw in JDBCAppender that is similar to CVE-2022-44228 in that it allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts a query string as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This [...]
+ <p><a href="https://www.cvedetails.com/cve/CVE-2022-23305/">CVE-2022-23305</a> is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL [...]
<p><a href="https://www.cvedetails.com/cve/CVE-2022-23307/">CVE-2022-23307</a> is a critical severity against the chainsaw component in Log4j 1.x. This is the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of Log4j 1.2.x.</p>
<h2>Java Version Incompatibilities</h2>
<p>The version detection algorithm changed in Java 9 which causes the MDC not to work properly. See <a href="https://blogs.apache.org/logging/entry/moving_on_to_log4j_2">Log4j 1.2 is broken on Java 9</a> for details.</p>