This is an automated email from the ASF dual-hosted git repository. rgoers pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
commit 86e3e7f69bda172f2e3d002c79e84db39c6619ac Author: Ralph Goers <[email protected]> AuthorDate: Fri Dec 10 02:11:06 2021 -0700 update CVSS score --- log4j-2.15.0/security.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/log4j-2.15.0/security.html b/log4j-2.15.0/security.html index 430d7a2..59426b7 100644 --- a/log4j-2.15.0/security.html +++ b/log4j-2.15.0/security.html @@ -166,7 +166,7 @@ <h3><a name="Fixed_in_Log4j_2.15.0"></a>Fixed in Log4j 2.15.0</h3> <p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228";>CVE-2021-44228</a>: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.</p> <p>Severity: High</p> -<p>Overall CVSS Score: 9.0 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:L/MI:H/MA:H</p> +<p>Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</p> <p>Versions Affected: all versions from 2.0-beta9 to 2.14.1</p> <p>Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.</p> <p>Mitigation: In previous releases (>=2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against RCE by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trust [...]
