This is an automated email from the ASF dual-hosted git repository. vy pushed a commit to branch asf-staging in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
commit 00a366eaa5b94770a5fb2061669de6c7a1ac88cb Author: Volkan Yazıcı <[email protected]> AuthorDate: Fri Dec 10 21:57:28 2021 +0100 Update mitigation techniques for CVE-2021-44228. --- log4j-2.15.0/index.html | 8 +------- log4j-2.15.0/security.html | 2 +- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/log4j-2.15.0/index.html b/log4j-2.15.0/index.html index a0f3f22..d7aa76a 100644 --- a/log4j-2.15.0/index.html +++ b/log4j-2.15.0/index.html @@ -202,14 +202,8 @@ <p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.</p> -<p>Users who cannot upgrade to 2.15.0 can mitigate the exposure by: -<ul> -<li>>Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages.</li> -<li>>Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.</li> -<li>>Remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.</li> -</ul> +<p>For those who cannot upgrade to 2.15.0, in releases >=2.10, this vulnerability can be mitigated by setting either the system property <code>log4j2.formatMsgNoLookups</code> or the environment variable <code>LOG4J_FORMAT_MSG_NO_LOOKUPS</code> to <code>true</code>. Another mitigation technique, which is applicable for all releases from 2.0-beta9 to 2.14.1, is to remove the <code>JndiLookup</code> class from the classpath: <code>zip -q -d log4j-core-*.jar org/apache/logging/log4j/core [...] -</p> <h3>Other News</h3> <p>Log4j 2.15.0 is now available for production. The API for Log4j 2 is not compatible with Log4j 1.x, however an adapter is available to allow applications to continue to use the Log4j 1.x API. Adapters are also available for Apache Commons Logging, SLF4J, and java.util.logging.</p> <p>Log4j 2.15.0 is the latest release of Log4j. As of Log4j 2.13.0 Log4j 2 requires Java 8 or greater at runtime. This release contains new features and fixes which can be found in the latest <a href="changes-report.html#a2.15.0">changes report</a>.</p> diff --git a/log4j-2.15.0/security.html b/log4j-2.15.0/security.html index 056123b..26fd5e8 100644 --- a/log4j-2.15.0/security.html +++ b/log4j-2.15.0/security.html @@ -169,7 +169,7 @@ <p>Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</p> <p>Versions Affected: all versions from 2.0-beta9 to 2.14.1</p> <p>Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.</p> -<p>Mitigation: In previous releases (>=2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against RCE by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trust [...] +<p>Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property <code>log4j2.formatMsgNoLookups</code> or the environment variable <code>LOG4J_FORMAT_MSG_NO_LOOKUPS</code> to <code>true</code>. Another mitigation technique, which is applicable for all releases from 2.0-beta9 to 2.14.1, is to remove the <code>JndiLookup</code> class from the classpath: <code>zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class</code>. <p>Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.</p> <p>References: <a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3201";>https://issues.apache.org/jira/browse/LOG4J2-3201</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3198";>https://issues.apache.org/jira/browse/LOG4J2-3198</a></p></section><section>
