This is an automated email from the ASF dual-hosted git repository. rgoers pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
commit 6a07dc24dd0375885f25dfd01841b5313486bb80 Author: Ralph Goers <[email protected]> AuthorDate: Fri Dec 10 02:12:10 2021 -0700 update severity --- log4j-2.15.0/security.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/log4j-2.15.0/security.html b/log4j-2.15.0/security.html index 59426b7..056123b 100644 --- a/log4j-2.15.0/security.html +++ b/log4j-2.15.0/security.html @@ -165,7 +165,7 @@ <p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the <a class="externalLink" href="mailto:[email protected]";>Log4j Security Team</a>. Thank you.</p><section><section> <h3><a name="Fixed_in_Log4j_2.15.0"></a>Fixed in Log4j 2.15.0</h3> <p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228";>CVE-2021-44228</a>: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.</p> -<p>Severity: High</p> +<p>Severity: Critical</p> <p>Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</p> <p>Versions Affected: all versions from 2.0-beta9 to 2.14.1</p> <p>Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.</p>
