This is an automated email from the ASF dual-hosted git repository. ckozak pushed a commit to branch release-2.x in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 0b980aba0680e4984d64eb89e02d5c1561405202 Author: Ralph Goers <[email protected]> AuthorDate: Fri Dec 17 16:03:27 2021 -0700 Prep for releaes --- pom.xml | 6 +++--- src/site/markdown/index.md.vm | 6 ++++++ src/site/markdown/security.md | 16 ++++++---------- src/site/xdoc/manual/appenders.xml | 27 --------------------------- src/site/xdoc/manual/configuration.xml.vm | 26 -------------------------- 5 files changed, 15 insertions(+), 66 deletions(-) diff --git a/pom.xml b/pom.xml index 4ff075f..8003f1a 100644 --- a/pom.xml +++ b/pom.xml @@ -188,13 +188,13 @@ <properties> <!-- make sure to update these for each release! --> <log4jParentDir>${basedir}</log4jParentDir> - <Log4jReleaseVersion>2.16.0</Log4jReleaseVersion> + <Log4jReleaseVersion>2.17.0</Log4jReleaseVersion> <Log4jReleaseVersionJava7>2.12.2</Log4jReleaseVersionJava7> <Log4jReleaseVersionJava6>2.3</Log4jReleaseVersionJava6> <!--Log4jReleaseManager>Ralph Goers</Log4jReleaseManager--> <!--Log4jReleaseKey>B3D8E1BA</Log4jReleaseKey--> - <Log4jReleaseManager>Matt Sicker</Log4jReleaseManager> - <Log4jReleaseKey>748F15B2CF9BA8F024155E6ED7C92B70FA1C814D</Log4jReleaseKey> + <Log4jReleaseManager>Ralph Goers</Log4jReleaseManager> + <Log4jReleaseKey>B3D8E1BA</Log4jReleaseKey> <!-- note that any properties you want available in velocity templates must not use periods! --> <slf4jVersion>1.7.25</slf4jVersion> <logbackVersion>1.2.3</logbackVersion> diff --git a/src/site/markdown/index.md.vm b/src/site/markdown/index.md.vm index 4e4502f..400ced9 100644 --- a/src/site/markdown/index.md.vm +++ b/src/site/markdown/index.md.vm @@ -45,6 +45,12 @@ $h4 Mitigation From version 2.17.0 (for Java 8), only lookup strings in configuration are expanded recursively; in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved. +In prior releases this issue can be mitigated by ensuring your logging configuration does the following: +* Replace Context Lookups like `$${ctx:loginId}` in PatternLayout with Thread Context Map patterns (%X, %mdc, or %MDC) + in the logging configuration. +* Remove refrences to Context Lookups like `$${ctx:loginId}` in the configuration where they originate + from sources external to the application such as HTTP headers or user input. + $h4 Reference Please refer to the [Security page](security.html#CVE-2021-45105) for details and mitigation measures for older versions of Log4j. diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md index f1a1e05..3409747 100644 --- a/src/site/markdown/security.md +++ b/src/site/markdown/security.md @@ -54,8 +54,8 @@ Apache Log4j2 does not always protect from infinite recursion in lookup evaluati | [CVE-2021-45105](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105) | Denial of Service | | --------------- | -------- | -| Severity | XXXXX | -| Base CVSS Score | X.X (XXXX) | +| Severity | High | +| Base CVSS Score | 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) | | Versions Affected | All versions from 2.0-beta9 to 2.16.0 | ### Description @@ -64,13 +64,6 @@ When the logging configuration uses a non-default Pattern Layout with a Context attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack. -$h4 Mitigation -From version 2.17.0 (for Java 8), only lookup strings in configuration are expanded recursively; -in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved. -Furthermore, error handling has been made more extensive, to catch all Throwables that arise in logging code instead of only Exceptions. -Finally, when JNDI is enabled, it will only support the `java` protocol. -The property to enable JNDI has been renamed to `log4j2.enableJndiJava` from `log4j2.enableJndi`. - ### Mitigation @@ -83,7 +76,10 @@ Log4j 1.x is not impacted by this vulnerability. Implement one of the following mitigation techniques: * Java 8 (or later) users should upgrade to release 2.17.0. -* Replace Context Lookups like `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC) in the logging configuration. +* Replace Context Lookups like `$${ctx:loginId}` in PatternLayout with Thread Context Map patterns (%X, %mdc, or %MDC) +in the logging configuration. +* Remove refrences to Context Lookups like `$${ctx:loginId}` in the configuration where they originate +from sources external to the application such as HTTP headers or user input. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. diff --git a/src/site/xdoc/manual/appenders.xml b/src/site/xdoc/manual/appenders.xml index 35d88c0..a59f2e4 100644 --- a/src/site/xdoc/manual/appenders.xml +++ b/src/site/xdoc/manual/appenders.xml @@ -1559,33 +1559,6 @@ public class ConnectionFactory { <th>Description</th> </tr> <tr> - <td>allowdLdapClasses</td> - <td>String</td> - <td>null</td> - <td> - A comma separated list of fully qualified class names that may be accessed by LDAP. The classes - must implement Serializable. Only applies when the JMS Appender By default only Java primitive classes are allowed. - </td> - </tr> - <tr> - <td>allowdLdapHosts</td> - <td>String</td> - <td>null</td> - <td> - A comma separated list of host names or ip addresses that may be accessed by LDAP. By default only - the local host names and ip addresses are allowed. - </td> - </tr> - <tr> - <td>allowdJndiProtocols</td> - <td>String</td> - <td>null</td> - <td> - A comma separated list of protocol names that JNDI will allow. By default only java, ldap, and ldaps - are the only allowed protocols. - </td> - </tr> - <tr> <td>factoryBindingName</td> <td>String</td> <td><em>Required</em></td> diff --git a/src/site/xdoc/manual/configuration.xml.vm b/src/site/xdoc/manual/configuration.xml.vm index 2c1c315..86acc17 100644 --- a/src/site/xdoc/manual/configuration.xml.vm +++ b/src/site/xdoc/manual/configuration.xml.vm @@ -2173,32 +2173,6 @@ public class AwesomeTest { </td> </tr> <tr> - <td><a name="allowedLdapClasses"/>log4j2.allowedLdapClasses</td> - <td>LOG4J_ALLOWED_LDAP_CLASSES</td> - <td> </td> - <td> - System property that specifies fully qualified class names that may be accessed by LDAP. The classes - must implement Serializable. By default only Java primitive classes are allowed. - </td> - </tr> - <tr> - <td><a name="allowedLdapHosts"/>log4j2.allowedLdapHosts</td> - <td>LOG4J_ALLOWED_LDAP_HOSTS</td> - <td> </td> - <td> - System property that adds host names or ip addresses that may be access by LDAP. By default it only allows - the local host names and ip addresses. - </td> - </tr> - <tr> - <td><a name="allowedJndiProtocols"/>log4j2.allowedJndiProtocols</td> - <td>LOG4J_ALLOWED_JNDI_PROTOCOLS</td> - <td> </td> - <td> - System property that adds protocol names that JNDI will allow. By default it only allows java, ldap, and ldaps. - </td> - </tr> - <tr> <td><a name="uuidSequence"/>log4j2.uuidSequence <br /> (<a name="org.apache.logging.log4j.uuidSequence"/>org.apache.logging.log4j.uuidSequence)
