You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by vy...@apache.org on 2022/01/27 08:31:42 UTC

[logging-log4j2] 03/03: Add mention of "CVE creation process" to the security page.

This is an automated email from the ASF dual-hosted git repository.

vy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git

commit 97e9c5a0afb25359c2bf8652b9556260184e16f0
Author: Volkan Yazıcı <vo...@yazi.ci>
AuthorDate: Thu Jan 27 09:31:08 2022 +0100

    Add mention of "CVE creation process" to the security page.
---
 src/site/asciidoc/security.adoc | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

diff --git a/src/site/asciidoc/security.adoc b/src/site/asciidoc/security.adoc
index cb4ec2c..ab9a90e 100644
--- a/src/site/asciidoc/security.adoc
+++ b/src/site/asciidoc/security.adoc
@@ -15,7 +15,7 @@
     limitations under the License.
 ////
 
-# Apache Log4j Security Vulnerabilities
+= Apache Log4j Security Vulnerabilities
 
 This page lists all the security vulnerabilities fixed in released versions of Apache Log4j 2.
 Each vulnerability is given a link:#Security_Impact_Levels[security impact rating]
@@ -44,7 +44,8 @@ If you have encountered an unlisted security vulnerability or other unexpected b
 that has security impact, or if the descriptions here are incomplete, please report them
 privately to the mailto:private@logging.apache.org[Log4j Security Team]. Thank you.
 
-### Fixed in Log4j 2.15.0
+[#log4j-2-15-0]
+=== Fixed in Log4j 2.15.0
 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228[CVE-2021-4422]:  Apache Log4j2 JNDI
 features do not protect against attacker controlled LDAP and other JNDI related endpoints.
@@ -72,7 +73,8 @@ Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team
 References: https://issues.apache.org/jira/browse/LOG4J2-3201[https://issues.apache.org/jira/browse/LOG4J2-3201]
 and https://issues.apache.org/jira/browse/LOG4J2-3198[https://issues.apache.org/jira/browse/LOG4J2-3198].
 
-### Fixed in Log4j 2.13.2
+[#log4j-2-13-2]
+=== Fixed in Log4j 2.13.2
 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488[CVE-2020-9488]:
 Improper validation of certificate with host mismatch in Apache Log4j SMTP appender.
@@ -103,7 +105,8 @@ Credit: This issues was discovered by Peter Stöckli.
 
 References: https://issues.apache.org/jira/browse/LOG4J2-2819
 
-### Fixed in Log4j 2.8.2
+[#log4j-2-8-2]
+=== Fixed in Log4j 2.8.2
 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645[CVE-2017-5645]: Apache Log4j socket
 receiver deserialization vulnerability.
@@ -129,8 +132,8 @@ at Telstra
 
 References: <https://issues.apache.org/jira/browse/LOG4J2-1863>
 
-[#Security_Impact_Levels]
-## Summary of security impact levels for Apache Log4j
+[#impact-levels]
+== Summary of security impact levels for Apache Log4j
 The Apache Log4j Security Team rates the impact of each security flaw that affects Log4j.
 We've chosen a rating scale quite similar to those used by other major vendors in order to
 be consistent. Basically the goal of the rating system is to answer the question "How worried
@@ -142,24 +145,34 @@ need to read the security advisories to find out more about the flaw.
 
 We use the following descriptions to decide on the impact rating to give each vulnerability:
 
-### Critical
+[#impact-levels-critical]
+=== Critical
 A vulnerability rated with a Critical impact is one which could potentially be exploited by
 a remote attacker to get Log4j to execute arbitrary code (either as the user the server is
 running as, or root). These are the sorts of vulnerabilities that could be exploited automatically
 by worms.
 
-### Important
+[#impact-levels-important]
+=== Important
 A vulnerability rated as Important impact is one which could result in the compromise of data
 or availability of the server. For Log4j this includes issues that allow an easy remote denial
 of service (something that is out of proportion to the attack or with a lasting consequence),
 access to arbitrary files outside of the context root, or access to files that should be otherwise
 prevented by limits or authentication.
 
-### Moderate
+[#impact-levels-moderate]
+=== Moderate
 A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the
 issue less of an impact. This might be because the flaw does not affect likely configurations, or
 it is a configuration that isn't widely used.
 
-### Low
+[#impact-levels-low]
+=== Low
 All other security flaws are classed as a Low impact. This rating is used for issues that are believed
-to be extremely hard to exploit, or where an exploit gives minimal consequences.
\ No newline at end of file
+to be extremely hard to exploit, or where an exploit gives minimal consequences.
+
+[#cve-creation]
+== CVE creation process
+
+Found security vulnerabilities are subject to voting (by means of https://logging.apache.org/guidelines.html[_lazy approval_], preferably) before creating a CVE and populating its associated content.
+This procedure involves only the creation of CVEs and blocks neither (vulnerability) fixes, nor releases.