This is an automated email from the ASF dual-hosted git repository.
rpopma pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 54a3c7e Simplify About page in 2.3.1 and 2.12.3
54a3c7e is described below
commit 54a3c7ee831d6d13c37d7c053fa2fc144ce39805
Author: Remko Popma <[email protected]>
AuthorDate: Tue Dec 21 18:02:33 2021 +0900
Simplify About page in 2.3.1 and 2.12.3
---
log4j-2.12.3/index.html | 99 +++++++++++++++-------------------
log4j-2.3.1/index.html | 141 ++++++++++++++----------------------------------
2 files changed, 82 insertions(+), 158 deletions(-)
diff --git a/log4j-2.12.3/index.html b/log4j-2.12.3/index.html
index 68708d4..7ea71ca 100644
--- a/log4j-2.12.3/index.html
+++ b/log4j-2.12.3/index.html
@@ -330,64 +330,49 @@
See the License for the specific language governing permissions and
limitations under the License. --><h1>Apache Log4j 2</h1>
<p>Apache Log4j 2 is an upgrade to Log4j that provides significant
improvements over its predecessor, Log4j 1.x, and provides many of the
improvements available in Logback while fixing some inherent problems in
Logback’s architecture.</p>
-<p><a name="CVE-2021-45105"></a></p>
-<div class="section">
-<h2><a name="Important:_Security_Vulnerability_CVE-2021-45105"></a>Important:
Security Vulnerability CVE-2021-45105</h2>
-<p>The Log4j team has been made aware of a security vulnerability,
CVE-2021-45105, that has been addressed in Log4j 2.17.0 for Java 8 and up, and
in Log4j 2.12.3 for Java 7.</p>
-<p>Summary: Apache Log4j2 does not always protect from infinite recursion in
lookup evaluation.</p>
-<div class="section">
-<div class="section">
-<h4><a name="Details"></a>Details</h4>
-<p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from
uncontrolled recursion from self-referential lookups. When the logging
configuration uses a non-default Pattern Layout with a Context Lookup (for
example, <tt>$${ctx:loginId}</tt>), attackers with control over Thread Context
Map (MDC) input data can craft malicious input data that contains a recursive
lookup, resulting in a StackOverflowError that will terminate the process. This
is also known as a DOS (Denial of Se [...]
-<div class="section">
-<h4><a name="Mitigation"></a>Mitigation</h4>
-<p>From version 2.17.0 (for Java 8) and 2.12.3 (for Java 7), only lookup
strings in configuration are expanded recursively; in any other usage, only the
top-level lookup is resolved, and any nested lookups are not resolved.</p>
-<p>In prior releases this issue can be mitigated by ensuring your logging
configuration does the following:</p>
-<ul>
-
-<li>In PatternLayout in the logging configuration, replace Context Lookups
like <tt>${ctx:loginId}</tt>or <tt>$${ctx:loginId}</tt> with Thread Context Map
patterns (%X, %mdc, or %MDC).</li>
-
-<li>Otherwise, in the configuration, remove references to Context Lookups like
<tt>${ctx:loginId}</tt> or <tt>$${ctx:loginId}</tt> where they originate from
sources external to the application such as HTTP headers or user input.</li>
-</ul></div>
-<div class="section">
-<h4><a name="Reference"></a>Reference</h4>
-<p>Please refer to the <a class="externalLink"
href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105";>Security
page</a> for details and mitigation measures for older versions of Log4j.</p>
-<p><a name="CVE-2021-45046"></a></p></div></div></div>
-<div class="section">
-<h2><a name="Important:_Security_Vulnerability_CVE-2021-45046"></a>Important:
Security Vulnerability CVE-2021-45046</h2>
-<p>The Log4j team has been made aware of a security vulnerability,
CVE-2021-45046, that has been addressed in Log4j 2.12.2 for Java 7 and 2.16.0
for Java 8 and up.</p>
-<p>Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote
code execution in certain non-default configurations.</p>
-<div class="section">
-<div class="section">
-<h4><a name="Details"></a>Details</h4>
-<p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0
was incomplete in certain non-default configurations. When the logging
configuration uses a non-default Pattern Layout with a Context Lookup (for
example, <tt>$${ctx:loginId}</tt>), attackers with control over Thread Context
Map (MDC) input data can craft malicious input data using a JNDI Lookup
pattern, resulting in an information leak and remote code execution in some
environments and local code execution in [...]
-<p>Note that previous mitigations involving configuration such as setting the
system property <tt>log4j2.formatMsgNoLookups</tt> to <tt>true</tt> do NOT
mitigate this specific vulnerability.</p></div>
-<div class="section">
-<h4><a name="Mitigation"></a>Mitigation</h4>
-<p>In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default.
Usage of JNDI in configuration now needs to be enabled explicitly. Calls to the
JndiLookup will now return a constant string. Also, Log4j now limits the
protocols by default to only java. The message lookups feature has been
completely removed. Lookups in configuration still work.</p>
-<p>From version 2.16.0 (for Java 8), the message lookups feature has been
completely removed. Lookups in configuration still work. Furthermore, Log4j now
disables access to JNDI by default. Users are advised not to enable JNDI in
Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.</p></div>
-<div class="section">
-<h4><a name="Reference"></a>Reference</h4>
-<p>Please refer to the <a class="externalLink"
href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046";>Security
page</a> for details and mitigation measures for older versions of Log4j.</p>
-<p><a name="CVE-2021-44228"></a></p></div></div></div>
-<div class="section">
-<h2><a name="Important:_Security_Vulnerability_CVE-2021-44228"></a>Important:
Security Vulnerability CVE-2021-44228</h2>
-<p>The Log4j team has been made aware of a security vulnerability,
CVE-2021-44228, that has been addressed in Log4j 2.12.2 and Log4j 2.16.0.</p>
-<div class="section">
-<div class="section">
-<h4><a name="Summary"></a>Summary</h4>
-<p>Log4j’s JNDI support has not restricted what names could be
resolved. Some protocols are unsafe or can allow remote code
execution.</p></div>
-<div class="section">
-<h4><a name="Details"></a>Details</h4>
-<p>One vector that allowed exposure to this vulnerability was Log4j’s
allowance of Lookups to appear in log messages. This meant that when user input
is logged, and that user input contained a JNDI Lookup pointing to a malicious
server, then Log4j would resolve that JNDI Lookup, connect to that server, and
potentially download serialized Java code from that remote server. This in turn
could execute any code during deserialization. This is known as a RCE (Remote
Code Execution) att [...]
-<div class="section">
-<h4><a name="Mitigation"></a>Mitigation</h4>
-<p>In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default.
Usage of JNDI in configuration now needs to be enabled explicitly. Calls to the
JndiLookup will now return a constant string. Also, Log4j now limits the
protocols by default to only java. The message lookups feature has been
completely removed. Lookups in configuration still work.</p>
-<p>From version 2.16.0 (for Java 8), the message lookups feature has been
completely removed. Lookups in configuration still work. Furthermore, Log4j now
disables access to JNDI by default. Users are advised not to enable JNDI in
Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.</p></div>
-<div class="section">
-<h4><a name="Reference"></a>Reference</h4>
-<p>Please refer to the <a class="externalLink"
href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228";>Security
page</a> for mitigation measures for older versions of
Log4j.</p></div></div></div>
+ <div class="section">
+ <h2><a
name="Important:_Security_Vulnerabilities_CVE-2021-45105_CVE-2021-45046_and_CVE-2021-44228"></a>Important:
Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>
+ <p><a
name="CVE-2021-45105"></a></p>
+ <div class="section">
+ <h3><a
name="CVE-2021-45105"></a>CVE-2021-45105</h3>
+ <p>Summary:
Apache Log4j2 does not always protect from infinite recursion in lookup
evaluation.</p>
+ <div
class="section">
+ <h4><a
name="Details"></a>Details</h4>
+
<p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from
uncontrolled recursion from self-referential lookups. When the logging
configuration uses a non-default Pattern Layout with a Context Lookup (for
example, <tt>$${ctx:loginId}</tt>), attackers with control over Thread Context
Map (MDC) input data can craft malicious input data that contains a recursive
lookup, resulting in a StackOverflowError that will terminate the process. This
is also known as a DOS (Den [...]
+ <div
class="section">
+ <h4><a
name="Mitigation"></a>Mitigation</h4>
+
<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for
Java 8 and later).</p></div>
+ <div
class="section">
+ <h4><a
name="Reference"></a>Reference</h4>
+
<p>Please refer to the <a class="externalLink"
href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105";>Security
page</a> for details and mitigation measures for older versions of Log4j.</p>
+ <p><a
name="CVE-2021-45046"></a></p></div></div>
+ <div class="section">
+ <h3><a
name="CVE-2021-45046"></a>CVE-2021-45046</h3>
+ <p>Summary:
Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution
in certain non-default configurations.</p>
+ <div
class="section">
+ <h4><a
name="Details"></a>Details</h4>
+ <p>It
was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was
incomplete in certain non-default configurations. When the logging
configuration uses a non-default Pattern Layout with a Context Lookup (for
example, <tt>$${ctx:loginId}</tt>), attackers with control over Thread Context
Map (MDC) input data can craft malicious input data using a JNDI Lookup
pattern, resulting in an information leak and remote code execution in some
environments and local code exec [...]
+ <div
class="section">
+ <h4><a
name="Mitigation"></a>Mitigation</h4>
+
<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for
Java 8 and later).</p></div>
+ <div
class="section">
+ <h4><a
name="Reference"></a>Reference</h4>
+
<p>Please refer to the <a class="externalLink"
href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046";>Security
page</a> for details and mitigation measures for older versions of Log4j.</p>
+ <p><a
name="CVE-2021-44228"></a></p></div></div>
+ <div class="section">
+ <h3><a
name="CVE-2021-44228"></a>CVE-2021-44228</h3>
+ <p>Summary:
Log4j’s JNDI support has not restricted what names could be resolved.
Some protocols are unsafe or can allow remote code execution.</p>
+ <div
class="section">
+ <h4><a
name="Details"></a>Details</h4>
+ <p>One
vector that allowed exposure to this vulnerability was Log4j’s allowance
of Lookups to appear in log messages. This meant that when user input is
logged, and that user input contained a JNDI Lookup pointing to a malicious
server, then Log4j would resolve that JNDI Lookup, connect to that server, and
potentially download serialized Java code from that remote server. This in turn
could execute any code during deserialization. This is known as a RCE (Remote
Code Execu [...]
+ <div
class="section">
+ <h4><a
name="Mitigation"></a>Mitigation</h4>
+
<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for
Java 8 and later).</p></div>
+ <div
class="section">
+ <h4><a
name="Reference"></a>Reference</h4>
+
<p>Please refer to the <a class="externalLink"
href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228";>Security
page</a> for details and mitigation measures for older versions of
Log4j.</p></div></div></div>
+
<div class="section">
<h2><a name="Features"></a>Features</h2>
<div class="section">
diff --git a/log4j-2.3.1/index.html b/log4j-2.3.1/index.html
index 19833bb..ec51099 100644
--- a/log4j-2.3.1/index.html
+++ b/log4j-2.3.1/index.html
@@ -272,109 +272,48 @@
limitations under the License. -->
- <a name="CVE-2021-45105"></a>
-
<div class="section">
-<h2><a
name="Important:_Security_Vulnerabilities_CVE-2021-45105_CVE-2021-45046_and_CVE-2021-44228"></a>Important:
Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>
+ <h2><a
name="Important:_Security_Vulnerabilities_CVE-2021-45105_CVE-2021-45046_and_CVE-2021-44228"></a>Important:
Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>
+ <p><a name="CVE-2021-45105"></a></p>
+ <div class="section">
+ <h3><a name="CVE-2021-45105"></a>CVE-2021-45105</h3>
+ <p>Summary: Apache Log4j2 does not always protect from infinite
recursion in lookup evaluation.</p>
+ <div class="section">
+ <h4><a name="Details"></a>Details</h4>
+ <p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did
not protect from uncontrolled recursion from self-referential lookups. When the
logging configuration uses a non-default Pattern Layout with a Context Lookup
(for example, <tt>$${ctx:loginId}</tt>), attackers with control over Thread
Context Map (MDC) input data can craft malicious input data that contains a
recursive lookup, resulting in a StackOverflowError that will terminate the
process. This is also known as a DOS (Denial of [...]
+ <div class="section">
+ <h4><a name="Mitigation"></a>Mitigation</h4>
+ <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for
Java 7), or 2.17.0 (for Java 8 and later).</p></div>
+ <div class="section">
+ <h4><a name="Reference"></a>Reference</h4>
+ <p>Please refer to the <a class="externalLink"
href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105";>Security
page</a> for details and mitigation measures for older versions of Log4j.</p>
+ <p><a name="CVE-2021-45046"></a></p></div></div>
+ <div class="section">
+ <h3><a name="CVE-2021-45046"></a>CVE-2021-45046</h3>
+ <p>Summary: Apache Log4j2 Thread Context Lookup Pattern
vulnerable to remote code execution in certain non-default configurations.</p>
+ <div class="section">
+ <h4><a name="Details"></a>Details</h4>
+ <p>It was found that the fix to address CVE-2021-44228
in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
When the logging configuration uses a non-default Pattern Layout with a Context
Lookup (for example, <tt>$${ctx:loginId}</tt>), attackers with control over
Thread Context Map (MDC) input data can craft malicious input data using a JNDI
Lookup pattern, resulting in an information leak and remote code execution in
some environments and local code execution [...]
+ <div class="section">
+ <h4><a name="Mitigation"></a>Mitigation</h4>
+ <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for
Java 7), or 2.17.0 (for Java 8 and later).</p></div>
+ <div class="section">
+ <h4><a name="Reference"></a>Reference</h4>
+ <p>Please refer to the <a class="externalLink"
href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046";>Security
page</a> for details and mitigation measures for older versions of Log4j.</p>
+ <p><a name="CVE-2021-44228"></a></p></div></div>
+ <div class="section">
+ <h3><a name="CVE-2021-44228"></a>CVE-2021-44228</h3>
+ <p>Summary: Log4j’s JNDI support has not restricted what
names could be resolved. Some protocols are unsafe or can allow remote code
execution.</p>
+ <div class="section">
+ <h4><a name="Details"></a>Details</h4>
+ <p>One vector that allowed exposure to this
vulnerability was Log4j’s allowance of Lookups to appear in log
messages. This meant that when user input is logged, and that user input
contained a JNDI Lookup pointing to a malicious server, then Log4j would
resolve that JNDI Lookup, connect to that server, and potentially download
serialized Java code from that remote server. This in turn could execute any
code during deserialization. This is known as a RCE (Remote Code Execution)
[...]
+ <div class="section">
+ <h4><a name="Mitigation"></a>Mitigation</h4>
+ <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for
Java 7), or 2.17.0 (for Java 8 and later).</p></div>
+ <div class="section">
+ <h4><a name="Reference"></a>Reference</h4>
+ <p>Please refer to the <a class="externalLink"
href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228";>Security
page</a> for details and mitigation measures for older versions of
Log4j.</p></div></div></div>
-
-<p>The Log4j team has been made aware of multiple security vulnerabilities,
CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228,
- that have been addressed in Log4j 2.3.1 for Java 6.
- The same vulnerabilities have been addressed in Log4j 2.12.3 for Java
7, and in
- Log4j 2.17.0 for Java 8 and up.</p>
-
-
-<div class="section">
-<h3><a name="CVE-2021-45105"></a>CVE-2021-45105</h3>
-
-<p>Summary: Apache Log4j2 does not always protect from infinite recursion in
lookup evaluation.</p>
-
-
-<div class="section">
-<h4><a name="Details"></a>Details</h4>
-
-<p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from
uncontrolled recursion from self-referential lookups.
- When the logging configuration uses a non-default Pattern Layout with
a Context Lookup (for example, <tt>$${ctx:loginId}</tt>),
- attackers with control over Thread Context Map (MDC) input data can
craft malicious input data that contains a recursive lookup,
- resulting in a StackOverflowError that will terminate the process.
This is also known as a DOS (Denial of Service) attack.</p>
-
- </div>
-<div class="section">
-<h4><a name="Mitigation"></a>Mitigation</h4>
-
-<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for
Java 8).</p>
-
- </div>
-<div class="section">
-<h4><a name="Reference"></a>Reference</h4>
-
-<p>Please refer to the <a class="externalLink"
href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105";>Security
page</a> for details and mitigation measures for older versions of Log4j.</p>
-
-
- <a name="CVE-2021-45046"></a>
- </div></div>
-<div class="section">
-<h3><a name="CVE-2021-45046"></a>CVE-2021-45046</h3>
-
-
-<p>Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote
code execution in certain non-default configurations.</p>
-
-
-<div class="section">
-<h4><a name="Details"></a>Details</h4>
-
-<p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0
was incomplete in certain non-default configurations.
- When the logging configuration uses a non-default Pattern Layout with
a Context Lookup (for example, <tt>$${ctx:loginId}</tt>),
- attackers with control over Thread Context Map (MDC) input data can
craft malicious input data using a JNDI Lookup pattern,
- resulting in an information leak and remote code execution in some
environments and local code execution in all environments;
- remote code execution has been demonstrated on macOS but no other
tested environments.</p>
-
- </div>
-<div class="section">
-<h4><a name="Mitigation"></a>Mitigation</h4>
-
-<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for
Java 8).</p>
-
- </div>
-<div class="section">
-<h4><a name="Reference"></a>Reference</h4>
-
-<p>Please refer to the <a class="externalLink"
href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046";>Security
page</a> for details and mitigation measures for older versions of Log4j.</p>
-
-
- <a name="CVE-2021-44228"></a>
- </div></div>
-<div class="section">
-<h3><a name="CVE-2021-44228"></a>CVE-2021-44228</h3>
-
-
-<p>Summary:
- Log4j’s JNDI support has not restricted what names could be
resolved. Some protocols are unsafe or can allow remote code
- execution.</p>
-
-
-<div class="section">
-<h4><a name="Details"></a>Details</h4>
-
-<p>One vector that allowed exposure to this vulnerability was Log4j’s
allowance of Lookups to appear in log messages.
- This meant that when user input is logged, and that user input
contained a JNDI Lookup pointing to a malicious server,
- then Log4j would resolve that JNDI Lookup, connect to that server, and
potentially download serialized Java code from
- that remote server. This in turn could execute any code during
deserialization.
- This is known as a RCE (Remote Code Execution) attack.</p>
-
- </div>
-<div class="section">
-<h4><a name="Mitigation"></a>Mitigation</h4>
-
-<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for
Java 8).</p>
-
- </div>
-<div class="section">
-<h4><a name="Reference"></a>Reference</h4>
-
-<p>Please refer to the <a class="externalLink"
href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228";>Security
page</a> for details and mitigation measures for older versions of Log4j.</p>
-
- </div></div>
<div class="section">
<h2><a name="Apache_Log4j_2"></a>Apache Log4j 2</h2>
