This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 93b191d Update mitigation techniques for CVE-2021-44228.
93b191d is described below
commit 93b191de09105fd931c5359f962fd7d540dd9915
Author: Volkan Yazıcı <[email protected]>
AuthorDate: Fri Dec 10 21:57:28 2021 +0100
Update mitigation techniques for CVE-2021-44228.
---
log4j-2.15.0/security.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/log4j-2.15.0/security.html b/log4j-2.15.0/security.html
index 056123b..fbaf48b 100644
--- a/log4j-2.15.0/security.html
+++ b/log4j-2.15.0/security.html
@@ -169,7 +169,7 @@
<p>Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</p>
<p>Versions Affected: all versions from 2.0-beta9 to 2.14.1</p>
<p>Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log
messages, and parameters do not protect against attacker controlled LDAP and
other JNDI related endpoints. An attacker who can control log messages or log
message parameters can execute arbitrary code loaded from LDAP servers when
message lookup substitution is enabled. From log4j 2.15.0, this behavior has
been disabled by default.</p>
-<p>Mitigation: In previous releases (>=2.10) this behavior can be mitigated by
setting system property "log4j2.formatMsgNoLookups" to “true” or by removing
the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see
https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects
against RCE by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and
"com.sun.jndi.cosnaming.object.trust [...]
+<p>Mitigation: In releases >=2.10, this behavior can be mitigated by setting
system property <code>log4j2.formatMsgNoLookups</code> to <code>true</code>.
Another mitigation technique, which is applicable for all releases from
2.0-beta9 to 2.14.1, is to remove the <code>JndiLookup</code> class from the
classpath: <code>zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class</code>.
<p>Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security
Team.</p>
<p>References: <a class="externalLink"
href="https://issues.apache.org/jira/browse/LOG4J2-3201";>https://issues.apache.org/jira/browse/LOG4J2-3201</a>
and
<a class="externalLink"
href="https://issues.apache.org/jira/browse/LOG4J2-3198";>https://issues.apache.org/jira/browse/LOG4J2-3198</a></p></section><section>
