[logging-log4j-site] branch asf-staging updated: update security page to add other OS-es where RCE has been demonstrated for CVE-2021-44228

Mon, 27 Dec 2021 14:25:46 -0800 

This is an automated email from the ASF dual-hosted git repository.

rpopma pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
     new fd0df2f  update security page to add other OS-es where RCE has been 
demonstrated for CVE-2021-44228
fd0df2f is described below

commit fd0df2f28a73763181546ea738bda4757824a0b6
Author: Remko Popma <rem...@yahoo.com>
AuthorDate: Tue Dec 28 07:25:32 2021 +0900

    update security page to add other OS-es where RCE has been demonstrated for 
CVE-2021-44228
---
 log4j-2.17.0/security.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/log4j-2.17.0/security.html b/log4j-2.17.0/security.html
index 9be6574..6dab2ef 100644
--- a/log4j-2.17.0/security.html
+++ b/log4j-2.17.0/security.html
@@ -240,7 +240,7 @@
               </tbody>
               </table><section>
               <h3><a name="Description"></a>Description</h3>
-              <p>It was found that the fix to address <a class="externalLink" 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228";>CVE-2021-44228</a>
 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. 
When the logging configuration uses a non-default Pattern Layout with a Context 
Lookup (for example, $${ctx:loginId}), attackers with control over Thread 
Context Map (MDC) input data can craft malicious input data using a JNDI Lookup 
pattern, result [...]
+              <p>It was found that the fix to address <a class="externalLink" 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228";>CVE-2021-44228</a>
 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. 
When the logging configuration uses a non-default Pattern Layout with a Context 
Lookup (for example, $${ctx:loginId}), attackers with control over Thread 
Context Map (MDC) input data can craft malicious input data using a JNDI Lookup 
pattern, result [...]
               <h3><a name="Mitigation"></a>Mitigation</h3><section>
               <h4><a name="Log4j_1.x_mitigation"></a>Log4j 1.x mitigation</h4>
               <p>Log4j 1.x is not impacted by this 
vulnerability.</p></section><section>

Reply via email to