[logging-log4j-site] branch asf-staging updated: [DOC] stop recommending 2.15

[rp...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

rpopma pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
     new 94f51a0  [DOC] stop recommending 2.15
94f51a0 is described below

commit 94f51a00a2bf1a2d949b3a93bcbf3a1a498ee780
Author: Remko Popma <re...@yahoo.com>
AuthorDate: Tue Dec 14 23:28:14 2021 +0900

    [DOC] stop recommending 2.15
---
 log4j-2.16.0/index.html    | 2 +-
 log4j-2.16.0/security.html | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/log4j-2.16.0/index.html b/log4j-2.16.0/index.html
index 2a7953d..e9b4834 100644
--- a/log4j-2.16.0/index.html
+++ b/log4j-2.16.0/index.html
@@ -159,7 +159,7 @@
 <h1>Apache Log4j 2</h1>
 <p>Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback&#x2019;s architecture.</p><section>
 <h2><a name="Important:_Security_Vulnerability_CVE-2021-44228"></a><a name="CVE-2021-44228"></a>Important: Security Vulnerability CVE-2021-44228</h2>
-<p>The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.15.0 and 2.16.0.</p>
+<p>The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.16.0.</p>
 <p>Log4j&#x2019;s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.</p>
 <p>One vector that allowed exposure to this vulnerability was Log4j&#x2019;s allowance of Lookups to appear in log messages. This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server, then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from that remote server. This in turn could execute any code during deserialization. This is known as a RCE (Remote Code Execution) att [...]
 <p>From version 2.16.0, the message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed.</p>
diff --git a/log4j-2.16.0/security.html b/log4j-2.16.0/security.html
index a6110fa..842612a 100644
--- a/log4j-2.16.0/security.html
+++ b/log4j-2.16.0/security.html
@@ -164,7 +164,7 @@
 <p>If you need help on building or configuring Log4j or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Log4j Users mailing list</p>
 <p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the <a class="externalLink" href="mailto:private@logging.apache.org">Log4j Security Team</a>. Thank you.</p><section><section>
 <p><a name="CVE-2021-44228"></a> <a name="cve-2021-44228"></a></p><section><section>
-<h3><a name="Fixed_in_Log4j_2.15.0_and_2.16.0"></a>Fixed in Log4j 2.15.0 and 2.16.0</h3><section>
+<h3><a name="Fixed_in_Log4j_2.15.0_and_2.16.0"></a>Fixed in Log4j 2.16.0</h3><section>
 <h4><a name="CVE-2021-44228"></a>CVE-2021-44228</h4>
 <p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a>:  Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.</p>
 <p>Severity: Critical</p>