This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 6f884bb Update to include CVE text
6f884bb is described below
commit 6f884bbb8f1d2e6e40c08fab61e799656a9d22e7
Author: Ralph Goers <[email protected]>
AuthorDate: Thu Dec 9 23:26:04 2021 -0700
Update to include CVE text
---
log4j-2.15.0/index.html | 16 ++++++++++++++++
log4j-2.15.0/manual/layouts.html | 5 +++++
log4j-2.15.0/security.html | 10 ++++++++++
3 files changed, 31 insertions(+)
diff --git a/log4j-2.15.0/index.html b/log4j-2.15.0/index.html
index fb80eb7..ee09c06 100644
--- a/log4j-2.15.0/index.html
+++ b/log4j-2.15.0/index.html
@@ -195,6 +195,22 @@
<h2><a name="Requirements"></a>Requirements</h2>
<p>Log4j 2.13.0 and greater require Java 8. Version 2.4 through 2.12.1
required Java 7 (the Log4j team no longer supports Java 7). Some features
require optional dependencies; the documentation for these features will
specify the required dependencies.</p></section><section>
<h2><a name="News"></a>News</h2>
+<h3>CVE-2021-44228</h3>
+<p>The Log4j team has been made aware of a security vulnerability,
CVE-2021-44228, that has been addressed in Log4j 2.15.0.</p>
+
+<p>Log4j’s JNDI support has not restricted what names could be resolved. Some
protocols are unsafe or can allow remote code execution. Log4j now limits the
protocols by default to only java, ldap, and ldaps and limits the ldap
protocols to only accessing Java primitive objects by default served on the
local host.</p>
+
+<p>One vector that allowed exposure to this vulnerability was Log4j’s
allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature
is now disabled by default. While an option has been provided to enable Lookups
in this fashion users are strongly discouraged from enabling it.</p>
+
+<p>Users who cannot upgrade to 2.15.0 can mitigate the exposure by:
+<ul>
+<li>>Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as
a command line option or add log4j.formatMsgNoLookups to a
log4j2.component.properties file on the classpath to prevent lookups in log
event messages.</li>
+<li>>Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout
configuration to prevent lookups in log event messages.</li>
+<li>>Remove the JndiLookup and JndiManager classes from the log4j-core jar.
Removal of the JndiManager will cause the JndiContextSelector and JMSAppender
to no longer function.</li>
+</ul>
+
+</p>
+<h3>Other News</h3>
<p>Log4j 2.15.0 is now available for production. The API for Log4j 2 is not
compatible with Log4j 1.x, however an adapter is available to allow
applications to continue to use the Log4j 1.x API. Adapters are also available
for Apache Commons Logging, SLF4J, and java.util.logging.</p>
<p>Log4j 2.15.0 is the latest release of Log4j. As of Log4j 2.13.0 Log4j 2
requires Java 8 or greater at runtime. This release contains new features and
fixes which can be found in the latest <a
href="changes-report.html#a2.15.0">changes report</a>.</p>
<p>Some of the new features in Log4j 2.15.0 include:</p>
diff --git a/log4j-2.15.0/manual/layouts.html b/log4j-2.15.0/manual/layouts.html
index a9d5d9e..eb7c557 100644
--- a/log4j-2.15.0/manual/layouts.html
+++ b/log4j-2.15.0/manual/layouts.html
@@ -2333,6 +2333,11 @@ WARN [main]: Message 2</pre></div>
more obvious to handle the lookup in code.
This feature is disabled by default and the message string
is logged untouched.
</p>
+ <p>
+ <b>Note: </b>Users are <b>STRONGLY</b> discouraged from
using the lookups option. Doing so may allow uncontrolled user input
+ containing lookups to take unintended actions. In almost all
cases the software developer can accomplish the same tasks
+ lookups perform directly in the application code.
+ </p>
</td>
</tr>
diff --git a/log4j-2.15.0/security.html b/log4j-2.15.0/security.html
index e84a774..430d7a2 100644
--- a/log4j-2.15.0/security.html
+++ b/log4j-2.15.0/security.html
@@ -163,6 +163,16 @@
<p>Please note that binary patches are never provided. If you need to apply a
source code patch, use the building instructions for the Apache Log4j version
that you are using. For Log4j 2 this is BUILDING.md. This file can be found in
the root subdirectory of a source distributive.</p>
<p>If you need help on building or configuring Log4j or other help on
following the instructions to mitigate the known vulnerabilities listed here,
please send your questions to the public Log4j Users mailing list</p>
<p>If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has security impact, or if the descriptions here are
incomplete, please report them privately to the <a class="externalLink"
href="mailto:[email protected]";>Log4j Security Team</a>. Thank
you.</p><section><section>
+<h3><a name="Fixed_in_Log4j_2.15.0"></a>Fixed in Log4j 2.15.0</h3>
+<p><a class="externalLink"
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228";>CVE-2021-44228</a>:
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP
and other JNDI related endpoints.</p>
+<p>Severity: High</p>
+<p>Overall CVSS Score: 9.0
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:L/MI:H/MA:H</p>
+<p>Versions Affected: all versions from 2.0-beta9 to 2.14.1</p>
+<p>Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log
messages, and parameters do not protect against attacker controlled LDAP and
other JNDI related endpoints. An attacker who can control log messages or log
message parameters can execute arbitrary code loaded from LDAP servers when
message lookup substitution is enabled. From log4j 2.15.0, this behavior has
been disabled by default.</p>
+<p>Mitigation: In previous releases (>=2.10) this behavior can be mitigated by
setting system property "log4j2.formatMsgNoLookups" to “true” or by removing
the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see
https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects
against RCE by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and
"com.sun.jndi.cosnaming.object.trust [...]
+<p>Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security
Team.</p>
+<p>References: <a class="externalLink"
href="https://issues.apache.org/jira/browse/LOG4J2-3201";>https://issues.apache.org/jira/browse/LOG4J2-3201</a>
and
+ <a class="externalLink"
href="https://issues.apache.org/jira/browse/LOG4J2-3198";>https://issues.apache.org/jira/browse/LOG4J2-3198</a></p></section><section>
<h3><a name="Fixed_in_Log4j_2.13.2"></a>Fixed in Log4j 2.13.2</h3>
<p><a class="externalLink"
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488";>CVE-2020-9488</a>:
Improper validation of certificate with host mismatch in Apache Log4j SMTP
appender.</p>
<p>Severity: Low</p>
