This is an automated email from the ASF dual-hosted git repository. martin_s pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/archiva-site.git
commit 19f2dd9a5767fec50695ca784445e5581078619b Author: Martin Stockhammer <[email protected]> AuthorDate: Sun Dec 19 11:15:27 2021 +0100 Adding new security information --- src/site/apt/security.apt | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/site/apt/security.apt b/src/site/apt/security.apt index 136004d..3b6a113 100644 --- a/src/site/apt/security.apt +++ b/src/site/apt/security.apt @@ -36,6 +36,14 @@ Security Vulnerabilities %{toc|fromDepth=2|toDepth=2} +* {CVE-2021-45105}: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation + + This may be used by attackers, if users changed the default Archiva log4j2.xml configuration. + +* {CVE-2021-45046}: Apache log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations + + This may be used by attackers, if users changed the default Archiva log4j2.xml configuration. + * {CVE-2021-44228}: Apache log4j2 is vulnerable to remote code execution As mentioned in this CVE Apache log4j2 libraries are vulnerable to remote code execution.
