You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2021/12/16 16:15:36 UTC
[sling-site] branch master updated: Add security advisory for CVE-2021-44228/LOGBACK-1591
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-site.git
The following commit(s) were added to refs/heads/master by this push:
new 9fa8039 Add security advisory for CVE-2021-44228/LOGBACK-1591
9fa8039 is described below
commit 9fa80392c89bdccfc23421f4cb8e37defd62a9c5
Author: Robert Munteanu <ro...@apache.org>
AuthorDate: Thu Dec 16 11:57:27 2021 +0100
Add security advisory for CVE-2021-44228/LOGBACK-1591
---
src/main/jbake/content/news.md | 1 +
src/main/jbake/content/security/log4shell.md | 23 +++++++++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/src/main/jbake/content/news.md b/src/main/jbake/content/news.md
index e232805..d2a650e 100644
--- a/src/main/jbake/content/news.md
+++ b/src/main/jbake/content/news.md
@@ -5,6 +5,7 @@ tags=news
tableOfContents=false
~~~~~~
+* Security Advisory: [Apache Sling advisory regarding CVE-2021-44228 and LOGBACK-1591](./security/log4shell.html)
* Our documentation pages now have an edit link in their footer: patches, which are very welcome, are now easier than ever!
* The new [hierarchical sitemap](./sitemap.html) helps you find the right page, along with the existing [tags pages](./tags/development.html).
* Released [Apache Sling Adapter Annotations 2.0](https://github.com/apache/sling-org-apache-sling-adapter-annotations), a new module that implements OSGi DS 1.4 component property type annotations for Sling Adapters.
diff --git a/src/main/jbake/content/security/log4shell.md b/src/main/jbake/content/security/log4shell.md
new file mode 100644
index 0000000..6237914
--- /dev/null
+++ b/src/main/jbake/content/security/log4shell.md
@@ -0,0 +1,23 @@
+title=Apache Sling advisory regarding CVE-2021-44228 and LOGBACK-1591
+type=page
+status=published
+tags=security
+tableOfContents=false
+~~~~~~
+
+On 9th December 2021, a new zero-day vulnerability for Apache Log4j was reported. It is tracked under [CVE-2021-44228](
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and affects Log4j versions from 2.0.1 (inclusive) to 2.15.0
+(exclusive). It is also known under the 'log4shell' name.
+
+Apache Sling modules use the Simple Logging Facade for Java (slf4j) for logging, backed by the [Sling Commons OSGi
+bundle](https://github.dev/apache/sling-org-apache-sling-commons-log/).There are no Sling modules using versions of Log4j
+affected by log4shell. The Sling Starter and Sling CMS applications do not include any vulnerable version of the Log4j library.
+
+Applications built on top of Apache Sling are not impacted by CVE-2021-44228, provided they do not deploy
+a vulnerable version of log4j themselves.
+
+The Sling Commons OSGi bundle wraps logback-core and logback-classic, but does not allow arbitrary modifications to
+the logback.xml file and is therefore not vulnerable to the attack described in [LOGBACK-1591](https://jira.qos.ch/browse/LOGBACK-1591) .
+
+The Apache Sling PMC recommends that developers and operators of applications built on top of Apache Sling review the libraries they
+deploy to ensure that they do not include vulnerable versions of Log4j.
\ No newline at end of file