This is an automated email from the ASF dual-hosted git repository. rgoers pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
commit 55b3de743d97f14d7e34440934dd2e3c5fde5b8a Author: Ralph Goers <[email protected]> AuthorDate: Thu Dec 9 23:30:20 2021 -0700 Fix typos --- log4j-2.15.0/index.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/log4j-2.15.0/index.html b/log4j-2.15.0/index.html index ee09c06..a0f3f22 100644 --- a/log4j-2.15.0/index.html +++ b/log4j-2.15.0/index.html @@ -200,11 +200,11 @@ <p>Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host.</p> -<p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion users are strongly discouraged from enabling it.</p> +<p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.</p> <p>Users who cannot upgrade to 2.15.0 can mitigate the exposure by: <ul> -<li>>Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups to a log4j2.component.properties file on the classpath to prevent lookups in log event messages.</li> +<li>>Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages.</li> <li>>Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.</li> <li>>Remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.</li> </ul>
