You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Remko Popma (Jira)" <ji...@apache.org> on 2021/12/13 08:50:00 UTC
[jira] [Updated] (LOG4J2-3214) update security page text for CVE-2021-44228
[ https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Remko Popma updated LOG4J2-3214:
--------------------------------
Description:
I propose to update the text for the mitigation section of CVE-2021-44228 on [https://logging.apache.org/log4j/2.x/security.html]
Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet point list for improved readability.
----
*Log4j 1.x mitigation* - Audit your logging configuration to ensure it has no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
{*}Log4j 2.x mitigation{*}: (any one of the below will mitigate the vulnerability)
* If possible, upgrade to the latest version: 2.15.0.
* In releases >=2.10, you can:
** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} (see [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
* In releases from 2.7 through 2.14.1, you can modify your logging configuration to specify the message converter as {{{}%m{nolookups{}}}} instead of just {{{}%m{}}}.
* For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the {{JndiLookup}} class from the classpath: {{zip \-q \-d log4j\-core\-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class}}.
was:
I propose to update the text for the mitigation section of CVE-2021-44228 on [https://logging.apache.org/log4j/2.x/security.html]
Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet point list for improved readability.
----
*Log4j 1.x mitigation* - Audit your logging configuration to ensure it has no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
{*}Log4j 2.x mitigation{*}: (any one of the below will mitigate the vulnerability)
* If possible, upgrade to the latest version: 2.15.0.
* In releases >=2.10, you can:
** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} (see [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
* In releases from 2.7 through 2.14.1, you can modify your logging configuration to specify the message converter as {{{}%m{nolookups{}}}} instead of just {{{}%m{}}}.
* For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the {{JndiLookup}} class from the classpath: {{{}zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class{}}}.
> update security page text for CVE-2021-44228
> --------------------------------------------
>
> Key: LOG4J2-3214
> URL: https://issues.apache.org/jira/browse/LOG4J2-3214
> Project: Log4j 2
> Issue Type: Documentation
> Reporter: Remko Popma
> Priority: Major
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet point list for improved readability.
> ----
> *Log4j 1.x mitigation* - Audit your logging configuration to ensure it has no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: (any one of the below will mitigate the vulnerability)
> * If possible, upgrade to the latest version: 2.15.0.
> * In releases >=2.10, you can:
> ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
> ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} (see [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> * In releases from 2.7 through 2.14.1, you can modify your logging configuration to specify the message converter as {{{}%m{nolookups{}}}} instead of just {{{}%m{}}}.
> * For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the {{JndiLookup}} class from the classpath: {{zip \-q \-d log4j\-core\-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class}}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)