This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch log4j-2.12
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/log4j-2.12 by this push:
new ac43c7a Prepare for release
ac43c7a is described below
commit ac43c7ae2e2d003ba4a6a231d36d8c550ba37f4e
Author: Ralph Goers <[email protected]>
AuthorDate: Tue Dec 28 14:11:55 2021 -0700
Prepare for release
---
RELEASE-NOTES.md | 41 ++++++++-------------------
pom.xml | 4 +--
src/changes/announcement.vm | 9 ++----
src/changes/changes.xml | 6 ++++
src/site/markdown/index.md.vm | 64 ++++++++++---------------------------------
5 files changed, 36 insertions(+), 88 deletions(-)
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
index dce21db..a779c19 100644
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@@ -14,9 +14,9 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-# Apache Log4j 2.12.3 Release Notes
+# Apache Log4j 2.12.4 Release Notes
-The Apache Log4j 2 team is pleased to announce the Log4j 2.12.3 release!
+The Apache Log4j 2 team is pleased to announce the Log4j 2.12.4 release!
Apache Log4j is a well known framework for logging application behavior. Log4j
2 is an upgrade
to Log4j that provides significant improvements over its predecessor, Log4j
1.x, and provides
@@ -29,45 +29,26 @@ The artifacts may be downloaded from
https://logging.apache.org/log4j/2.x/downlo
This release contains the changes noted below:
-* Address CVE-2021-45105.
-* Require components that use JNDI to be enabled individually via system
properties.
-* Remove LDAP and LDAPS as supported protocols from JNDI.
+* Address CVE-2021-44832.
-Due to a break in compatibility in the SLF4J binding, Log4j now ships with two
versions of the SLF4J to Log4j adapters.
-log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and
log4j-slf4j18-impl should be used with SLF4J 1.8.x and
-later. SLF4J-2.0.0 alpha releases are not fully supported. See
https://issues.apache.org/jira/browse/LOG4J2-2975 and
-https://jira.qos.ch/browse/SLF4J-511.
+This release addresses CVE-2021-44832 for users still using Java 7.
-Some of the changes in Log4j 2.12.3 include:
+The Log4j 2.12.4 API, as well as many core components, maintains binary
compatibility with previous releases.
-* Disable recursive evaluation of Lookups during log event processing.
Recursive evaluation is still allowed while
-generating the configuration.
-* The JndiLookup, JndiContextSelector, and JMSAppender now require individual
system properties to be enabled.
-* Removed support for the LDAP and LDAPS protocols via JNDI.
-
-## GA Release 2.12.3
+## GA Release 2.12.4
Changes in this version include:
### Fixed Bugs
-* [LOG4J2-3230](https://issues.apache.org/jira/browse/LOG4J2-3230):
- Fix string substitution recursion.
-* [LOG4J2-3242](https://issues.apache.org/jira/browse/LOG4J2-3242):
- Limit JNDI to the java protocol only. JNDI will remain disabled by
default. Rename JNDI enablement property from 'log4j2.enableJndi' to
'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and
'log4j2.enableJndiContextSelector'.
-* [LOG4J2-3241](https://issues.apache.org/jira/browse/LOG4J2-3241):
- Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it
causes problems with the Maven enforcer plugin.
-* [LOG4J2-3247](https://issues.apache.org/jira/browse/LOG4J2-3247):
- PropertiesConfiguration.parseAppenderFilters NPE when parsing properties
file filters.
-* [LOG4J2-3249](https://issues.apache.org/jira/browse/LOG4J2-3249):
- Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514.
-* [LOG4J2-3237](https://issues.apache.org/jira/browse/LOG4J2-3237):
- Log4j 1.2 bridge API hard codes the Syslog protocol to TCP.
+* [LOG4J2-3293](https://issues.apache.org/jira/browse/LOG4J2-3293):
+JdbcAppender now uses JndiManager to access JNDI resources. JNDI is only
enabled when system property
+ log4j2.enableJndiJdbc is set to true.
---
-Apache Log4j 2.12.3 requires a minimum of Java 7 to build and run. Log4j 2.3
was the
+Apache Log4j 2.12.4 requires a minimum of Java 7 to build and run. Log4j 2.3
was the
last release that supported Java 6.
Basic compatibility with Log4j 1.x is provided through the log4j-1.2-api
component, however it
@@ -78,4 +59,4 @@ with log4j 1.x.
For complete information on Apache Log4j 2, including instructions on how to
submit bug
reports, patches, or suggestions for improvement, see the Apache Apache Log4j
2 website:
-https://logging.apache.org/log4j/2.x/
+https://logging.apache.org/log4j/2.x/
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 09d3edc..7bb0884 100644
--- a/pom.xml
+++ b/pom.xml
@@ -181,8 +181,8 @@
<properties>
<!-- make sure to update these for each release! -->
<log4jParentDir>${basedir}</log4jParentDir>
- <Log4jReleaseVersion>2.12.3</Log4jReleaseVersion>
- <Log4jReleaseVersionJava6>2.3.1</Log4jReleaseVersionJava6>
+ <Log4jReleaseVersion>2.12.4</Log4jReleaseVersion>
+ <Log4jReleaseVersionJava6>2.3.2</Log4jReleaseVersionJava6>
<Log4jReleaseManager>Ralph Goers</Log4jReleaseManager>
<Log4jReleaseKey>B3D8E1BA</Log4jReleaseKey>
<Log4jSigningUserName>[email protected]</Log4jSigningUserName>
diff --git a/src/changes/announcement.vm b/src/changes/announcement.vm
index 8bd9cdf..9f06f27 100644
--- a/src/changes/announcement.vm
+++ b/src/changes/announcement.vm
@@ -65,14 +65,11 @@ temporary objects) while logging. In addition, Log4j 2 will
not lose events whil
The artifacts may be downloaded from
https://logging.apache.org/log4j/2.x/download.html.
-This release contains bugfixes and minor enhancements.
+This release contains the changes noted below:
-Due to a break in compatibility in the SLF4J binding, Log4j now ships with two
versions of the SLF4J to Log4j adapters.
-log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and
log4j-slf4j18-impl should be used with SLF4J 1.8.x and
-later.
+* Address CVE-2021-44832.
-This release addresses CVE-2021-44228 for users still using Java 7 by
disabling JNDI by default, only allowing the java
-protocol when JNDI is enabled, making the JNDI Lookup inoperable, and removing
the message lookup capability.
+This release addresses CVE-2021-44832 for users still using Java 7.
The Log4j ${relVersion} API, as well as many core components, maintains binary
compatibility with previous releases.
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index fa1daba..0b4b405 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -29,6 +29,12 @@
- "update" - Change
- "remove" - Removed
-->
+ <release version="2.12.4" date="2021-12-28" description="GA Release
2.12.4">
+ <action issue="LOG4J2-3293" dev="ggregory" type="fix">
+ JdbcAppender now uses JndiManager to access JNDI resources. JNDI is
only enabled when system property
+ log4j2.enableJndiJdbc is set to true.
+ </action>
+ </release>
<release version="2.12.3" date="2021-12-dd" description="GA Release
2.12.3">
<action issue="LOG4J2-3230" dev="ckozak" type="fix">
Fix string substitution recursion.
diff --git a/src/site/markdown/index.md.vm b/src/site/markdown/index.md.vm
index f46a67e..976faec 100644
--- a/src/site/markdown/index.md.vm
+++ b/src/site/markdown/index.md.vm
@@ -26,66 +26,30 @@ $h1 Apache Log4j 2
Apache Log4j 2 is an upgrade to Log4j that provides significant improvements
over its predecessor, Log4j 1.x, and
provides many of the improvements available in Logback while fixing some
inherent problems in Logback's architecture.
+<a name="CVE-2021-44832"/>
+ $h2 Important: Security Vulnerability CVE-2021-44832
-$h2 Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and
CVE-2021-44228
-
-<a name="CVE-2021-45105"/>
-$h3 CVE-2021-45105
-
-Summary: Apache Log4j2 does not always protect from infinite recursion in
lookup evaluation.
+Summary: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker
controls configuration.
$h4 Details
-Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from
uncontrolled recursion from self-referential lookups.
-When the logging configuration uses a non-default Pattern Layout with a
Context Lookup (for example, ``${dollar}${dollar}{ctx:loginId}``),
-attackers with control over Thread Context Map (MDC) input data can craft
malicious input data that contains a recursive lookup,
-resulting in a StackOverflowError that will terminate the process. This is
also known as a DOS (Denial of Service) attack.
-
-$h4 Mitigation
-Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java
8).
-
-$h4 Reference
-Please refer to the [Security
page](https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105) for
details and mitigation measures for older versions of Log4j.
-
-
-<a name="CVE-2021-45046"/>
-$h3 CVE-2021-45046
-
-Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code
execution in certain non-default configurations.
-$h4 Details
-It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was
incomplete in certain non-default configurations.
-When the logging configuration uses a non-default Pattern Layout with a
Context Lookup (for example, ``${dollar}${dollar}{ctx:loginId}``),
-attackers with control over Thread Context Map (MDC) input data can craft
malicious input data using a JNDI Lookup pattern,
-resulting in an information leak and remote code execution in some
environments and local code execution in all environments;
-remote code execution has been demonstrated on macOS but no other tested
environments.
+Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix
releases 2.3.2 and 2.12.4) are vulnerable to
+a remote code execution (RCE) attack where an attacker with permission to
modify the logging configuration file can
+construct a malicious configuration using a JDBC Appender with a data source
referencing a JNDI URI which can execute
+remote code. This issue is fixed by limiting JNDI data source names to the
java protocol in Log4j2 versions 2.17.1,
+2.12.4, and 2.3.2.
$h4 Mitigation
-Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java
8).
+Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java
8 and later)
$h4 Reference
-Please refer to the [Security
page](https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046) for
details and mitigation measures for older versions of Log4j.
-
-
-<a name="CVE-2021-44228"/>
-$h3 CVE-2021-44228
-
-Summary:
-Log4j’s JNDI support has not restricted what names could be resolved. Some
protocols are unsafe or can allow remote code
-execution.
-
-$h4 Details
-One vector that allowed exposure to this vulnerability was Log4j’s allowance
of Lookups to appear in log messages.
-This meant that when user input is logged, and that user input contained a
JNDI Lookup pointing to a malicious server,
-then Log4j would resolve that JNDI Lookup, connect to that server, and
potentially download serialized Java code from
-that remote server. This in turn could execute any code during deserialization.
-This is known as a RCE (Remote Code Execution) attack.
-
-$h4 Mitigation
-Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java
8).
+Please refer to the [Security
page](https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832) for
details and
+mitigation measures for older versions of Log4j.
-$h4 Reference
-Please refer to the [Security
page](https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228) for
details and mitigation measures for older versions of Log4j.
+$h2 Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and
CVE-2021-44228
+Please refer to the [Security
page](https://logging.apache.org/log4j/2.x/security.html) for details and
mitigation
+measures for these security issues.
$h2 Features
