[logging-log4j2] branch log4j-2.17.1-site updated: Clarify CVE-2021-44832 details

Wed, 29 Dec 2021 16:07:42 -0800 

This is an automated email from the ASF dual-hosted git repository.

mattsicker pushed a commit to branch log4j-2.17.1-site
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git


The following commit(s) were added to refs/heads/log4j-2.17.1-site by this push:
     new cf32a4d  Clarify CVE-2021-44832 details
cf32a4d is described below

commit cf32a4d371731f97e453c6f3179183f027b7d441
Author: Matt Sicker <[email protected]>
AuthorDate: Wed Dec 29 18:06:46 2021 -0600

    Clarify CVE-2021-44832 details
---
 src/site/markdown/security.md | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index 8555695..86fb8a5 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -49,7 +49,7 @@ privately to the [Log4j Security 
Team](mailto:[email protected]). Thank
 ## <a name="log4j-2.17.1"/> Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) 
and 2.3.2 (Java 6)
 
 
[CVE-2021-44832](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832):
-Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls 
configuration.
+Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls 
configuration server.
 
 | 
[CVE-2021-44832](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832) 
| Remote Code Execution |
 | ---------------   | -------- |
@@ -59,11 +59,9 @@ Apache Log4j2 vulnerable to RCE via JDBC Appender when 
attacker controls configu
 
 ### Description
 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix 
releases 2.3.2 and 2.12.4) are vulnerable to
-a remote code execution (RCE) attack where an attacker with permission to 
modify the logging configuration file can
-construct a malicious configuration using a JDBC Appender with a data source 
referencing a JNDI URI which can execute
-remote code. This issue is fixed by limiting JNDI data source names to the 
java protocol in Log4j2 versions 2.17.1,
-2.12.4, and 2.3.2.
-
+a remote code execution (RCE) attack when a configuration uses a JDBC Appender 
with a JNDI LDAP data source URI when
+an attacker has control of the target LDAP server. This issue is fixed by 
limiting JNDI data source names to the java
+protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
 
 ### Mitigation

Reply via email to