This is an automated email from the ASF dual-hosted git repository. ckozak pushed a commit to branch release-2.x in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 5476a16845cb0b98e0eec711b11d0df8f41fb71d Author: Remko Popma <[email protected]> AuthorDate: Sat Dec 18 08:30:51 2021 +0900 [DOC] fix typos and rephrase mitigation for CVE-2021-45105 --- src/site/markdown/index.md.vm | 6 ++---- src/site/markdown/security.md | 8 +++++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/site/markdown/index.md.vm b/src/site/markdown/index.md.vm index b96e581..74ae75a 100644 --- a/src/site/markdown/index.md.vm +++ b/src/site/markdown/index.md.vm @@ -46,10 +46,8 @@ From version 2.17.0 (for Java 8), only lookup strings in configuration are expan in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved. In prior releases this issue can be mitigated by ensuring your logging configuration does the following: -* Replace Context Lookups like `${dollar}${dollar}{ctx:loginId}` in PatternLayout with Thread Context Map patterns (%X, %mdc, or %MDC) - in the logging configuration. -* Remove refrences to Context Lookups like `${dollar}${dollar}{ctx:loginId}` in the configuration where they originate - from sources external to the application such as HTTP headers or user input. +* In PatternLayout in the logging configuration, replace Context Lookups like `${dollar}{ctx:loginId}`or `${dollar}${dollar}{ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC). +* Otherwise, in the configuration, remove references to Context Lookups like `${dollar}{ctx:loginId}` or `${dollar}${dollar}{ctx:loginId}` where they originate from sources external to the application such as HTTP headers or user input. $h4 Reference Please refer to the [Security page](security.html#CVE-2021-45105) for details and mitigation measures for older versions of Log4j. diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md index 3409747..9b04065 100644 --- a/src/site/markdown/security.md +++ b/src/site/markdown/security.md @@ -76,9 +76,11 @@ Log4j 1.x is not impacted by this vulnerability. Implement one of the following mitigation techniques: * Java 8 (or later) users should upgrade to release 2.17.0. -* Replace Context Lookups like `$${ctx:loginId}` in PatternLayout with Thread Context Map patterns (%X, %mdc, or %MDC) -in the logging configuration. -* Remove refrences to Context Lookups like `$${ctx:loginId}` in the configuration where they originate + +Alternatively, this can be mitigated in configuration: + +* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC). +* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate from sources external to the application such as HTTP headers or user input. Note that only the log4j-core JAR file is impacted by this vulnerability.
