[logging-log4j-site] branch asf-staging updated: update CVSS score

Fri, 10 Dec 2021 01:11:23 -0800 

This is an automated email from the ASF dual-hosted git repository.

rgoers pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
     new a96ef6a  update CVSS score
a96ef6a is described below

commit a96ef6a4133403c58772987952814da45ef9397a
Author: Ralph Goers <[email protected]>
AuthorDate: Fri Dec 10 02:11:06 2021 -0700

    update CVSS score
---
 log4j-2.15.0/security.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/log4j-2.15.0/security.html b/log4j-2.15.0/security.html
index 430d7a2..59426b7 100644
--- a/log4j-2.15.0/security.html
+++ b/log4j-2.15.0/security.html
@@ -166,7 +166,7 @@
 <h3><a name="Fixed_in_Log4j_2.15.0"></a>Fixed in Log4j 2.15.0</h3>
 <p><a class="externalLink" 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228";>CVE-2021-44228</a>:
  Apache Log4j2 JNDI features do not protect against attacker controlled LDAP 
and other JNDI related endpoints.</p>
 <p>Severity: High</p>
-<p>Overall CVSS Score: 9.0 
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:L/MI:H/MA:H</p>
+<p>Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</p>
 <p>Versions Affected: all versions from 2.0-beta9 to 2.14.1</p>
 <p>Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log 
messages, and parameters do not protect against attacker controlled LDAP and 
other JNDI related endpoints. An attacker who can control log messages or log 
message parameters can execute arbitrary code loaded from LDAP servers when 
message lookup substitution is enabled. From log4j 2.15.0, this behavior has 
been disabled by default.</p>
 <p>Mitigation: In previous releases (>=2.10) this behavior can be mitigated by 
setting system property "log4j2.formatMsgNoLookups" to “true” or by removing 
the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see 
https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects 
against RCE by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and 
"com.sun.jndi.cosnaming.object.trust [...]

Reply via email to