This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 6ea5747 Improve CVE-2021-4422 text.
6ea5747 is described below
commit 6ea574799fdd1c497eb5fa4151dbb7d05cfb9638
Author: Volkan Yazıcı <[email protected]>
AuthorDate: Sun Dec 12 20:24:59 2021 +0100
Improve CVE-2021-4422 text.
---
log4j-2.15.0/index.html | 2 +-
log4j-2.15.0/security.html | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/log4j-2.15.0/index.html b/log4j-2.15.0/index.html
index e8c7f62..b7ed4ea 100644
--- a/log4j-2.15.0/index.html
+++ b/log4j-2.15.0/index.html
@@ -202,7 +202,7 @@
<p>One vector that allowed exposure to this vulnerability was Log4j’s
allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature
is now disabled by default. While an option has been provided to enable Lookups
in this fashion, users are strongly discouraged from enabling it.</p>
-<p>For those who cannot upgrade to 2.15.0, in releases >=2.10, this
vulnerability can be mitigated by setting either the system property
<code>log4j2.formatMsgNoLookups</code> or the environment variable
<code>LOG4J_FORMAT_MSG_NO_LOOKUPS</code> to <code>true</code>. For releases
from 2.0-beta9 to 2.10.0, the mitigation is to remove the
<code>JndiLookup</code> class from the classpath: <code>zip -q -d
log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class</code>.</p>
+<p>For those who cannot upgrade to 2.15.0, in releases >=2.10, this
behavior can be mitigated by setting either the system property
<code>log4j2.formatMsgNoLookups</code> or the environment variable
<code>LOG4J_FORMAT_MSG_NO_LOOKUPS</code> to <code>true</code>. For releases
>=2.7 and <=2.14.1, all <code>PatternLayout</code> patterns can be
modified to specify the message converter as <code>%m{nolookups}</code> instead
of just <code>%m</code>. For releases >=2.0-beta9 and < [...]
<h3>Other News</h3>
<p>Log4j 2.15.0 is now available for production. The API for Log4j 2 is not
compatible with Log4j 1.x, however an adapter is available to allow
applications to continue to use the Log4j 1.x API. Adapters are also available
for Apache Commons Logging, SLF4J, and java.util.logging.</p>
diff --git a/log4j-2.15.0/security.html b/log4j-2.15.0/security.html
index 5135f10..f8587c9 100644
--- a/log4j-2.15.0/security.html
+++ b/log4j-2.15.0/security.html
@@ -167,9 +167,9 @@
<p><a class="externalLink"
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228";>CVE-2021-44228</a>:
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP
and other JNDI related endpoints.</p>
<p>Severity: Critical</p>
<p>Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</p>
-<p>Versions Affected: all versions from 2.0-beta9 to 2.14.1</p>
-<p>Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log
messages, and parameters do not protect against attacker controlled LDAP and
other JNDI related endpoints. An attacker who can control log messages or log
message parameters can execute arbitrary code loaded from LDAP servers when
message lookup substitution is enabled. From log4j 2.15.0, this behavior has
been disabled by default.</p>
-<p>Mitigation: In releases >=2.10, this behavior can be mitigated by setting
either the system property <code>log4j2.formatMsgNoLookups</code> or the
environment variable <code>LOG4J_FORMAT_MSG_NO_LOOKUPS</code> to
<code>true</code>. For releases from 2.0-beta9 to 2.10.0, the mitigation is to
remove the <code>JndiLookup</code> class from the classpath: <code>zip -q -d
log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class</code>.
+<p>Versions Affected: all <code>log4j-core</code> versions >=2.0-beta9 and
<=2.14.1</p>
+<p>Descripton: Apache Log4j <=2.14.1 JNDI features used in configuration,
log messages, and parameters do not protect against attacker controlled LDAP
and other JNDI related endpoints. An attacker who can control log messages or
log message parameters can execute arbitrary code loaded from LDAP servers when
message lookup substitution is enabled. From log4j 2.15.0, this behavior has
been disabled by default.</p>
+<p>Mitigation: In releases >=2.10, this behavior can be mitigated by
setting either the system property <code>log4j2.formatMsgNoLookups</code> or
the environment variable <code>LOG4J_FORMAT_MSG_NO_LOOKUPS</code> to
<code>true</code>. For releases >=2.7 and <=2.14.1, all
<code>PatternLayout</code> patterns can be modified to specify the message
converter as <code>%m{nolookups}</code> instead of just <code>%m</code>. For
releases >=2.0-beta9 and <=2.10.0, the mitigation is t [...]
<p>Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security
Team.</p>
<p>References: <a class="externalLink"
href="https://issues.apache.org/jira/browse/LOG4J2-3201";>https://issues.apache.org/jira/browse/LOG4J2-3201</a>
and
<a class="externalLink"
href="https://issues.apache.org/jira/browse/LOG4J2-3198";>https://issues.apache.org/jira/browse/LOG4J2-3198</a></p></section><section>
