This is an automated email from the ASF dual-hosted git repository. vy pushed a commit to branch 2.3.x in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 94c264c9d670a42be3dfbf6d4af0549950029d64 Author: Ralph Goers <[email protected]> AuthorDate: Wed Dec 29 12:27:48 2021 -0700 Fixes for site --- src/changes/announcement.vm | 2 + src/site/xdoc/index.xml | 67 +++++++------------------------ src/site/xdoc/manual/configuration.xml.vm | 4 -- 3 files changed, 17 insertions(+), 56 deletions(-) diff --git a/src/changes/announcement.vm b/src/changes/announcement.vm index 6b06f36fe2..df1f871a86 100644 --- a/src/changes/announcement.vm +++ b/src/changes/announcement.vm @@ -26,6 +26,8 @@ Log4j that provides significant improvements over its predecessor, Log4j 1.x, an many other modern features such as support for Markers, property substitution using Lookups, and asynchronous Loggers. In addition, Log4j 2 will not lose events while reconfiguring. +The artifacts may be downloaded from https://logging.apache.org/log4j/log4j-$relVersion}/download.html. + The major changes contained in this release include: * Address CVE-2021-45046 and CVE-2021-45105 by disabling recursive evaluation of Lookups during log event processing. Recursive evaluation is still allowed while generating the configuration. diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml index d289bf7bcf..1af3008beb 100644 --- a/src/site/xdoc/index.xml +++ b/src/site/xdoc/index.xml @@ -28,68 +28,31 @@ <body> - <a name="CVE-2021-45105"/> - <h2>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2> - - <p>The Log4j team has been made aware of multiple security vulnerabilities, CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228, - that have been addressed in Log4j 2.3.1 for Java 6. - The same vulnerabilities have been addressed in Log4j 2.12.3 for Java 7, and in - Log4j 2.17.0 for Java 8 and up.</p> + <a name="CVE-2021-44832"/> + <h2>Important: Security Vulnerability CVE-2021-44832</h2> - <h3>CVE-2021-45105</h3> - <p>Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.</p> + Summary: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration. <h4>Details</h4> - <p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. - When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>), - attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, - resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.</p> - - <h4>Mitigation</h4> - <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p> - - <h4>Reference</h4> - <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105";>Security page</a> for details and mitigation measures for older versions of Log4j.</p> - - - <a name="CVE-2021-45046"/> - <h3>CVE-2021-45046</h3> - - <p>Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.</p> - <h4>Details</h4> - <p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. - When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>), - attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, - resulting in an information leak and remote code execution in some environments and local code execution in all environments; - remote code execution has been demonstrated on macOS but no other tested environments.</p> + Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to + a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can + construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute + remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, + 2.12.4, and 2.3.2. <h4>Mitigation</h4> - <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p> + Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later) <h4>Reference</h4> - <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046";>Security page</a> for details and mitigation measures for older versions of Log4j.</p> - - - <a name="CVE-2021-44228"/> - <h3>CVE-2021-44228</h3> - - <p>Summary: - Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code - execution.</p> - - <h4>Details</h4> - <p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. - This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server, - then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from - that remote server. This in turn could execute any code during deserialization. - This is known as a RCE (Remote Code Execution) attack.</p> + Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832";>Security Page</a> + for details and mitigation measures for older versions of Log4j. - <h4>Mitigation</h4> - <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p> + <a name="CVE-2021-45105"/> + <h2>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2> - <h4>Reference</h4> - <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228";>Security page</a> for details and mitigation measures for older versions of Log4j.</p> + Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html";>Security Page</a> for details + and mitigation measures for these security issues. <section name="Apache Log4j 2"> diff --git a/src/site/xdoc/manual/configuration.xml.vm b/src/site/xdoc/manual/configuration.xml.vm index c391da0833..1e0b768d10 100644 --- a/src/site/xdoc/manual/configuration.xml.vm +++ b/src/site/xdoc/manual/configuration.xml.vm @@ -1377,7 +1377,6 @@ public class AwesomeTest { </tr> <tr> <td><a name="enableJndiContextSelector"/>log4j2.enableJndiContextSelector</td> - <td>LOG4J_ENABLE_JNDI_CONTEXT_SELECTOR</td> <td>false</td> <td> When true, the Log4j context selector that uses the JNDI java protocol is enabled. When false, the default, they are disabled. @@ -1385,7 +1384,6 @@ public class AwesomeTest { </tr> <tr> <td><a name="enableJndiJdbc"/>log4j2.enableJndiJdbc</td> - <td>LOG4J_ENABLE_JNDI_JDBC</td> <td>false</td> <td> When true, a Log4j JDBC Appender configured with a <code>DataSource</code> which uses JNDI's java protocol is enabled. When false, the default, they are disabled. @@ -1393,7 +1391,6 @@ public class AwesomeTest { </tr> <tr> <td><a name="enableJndiJms"/>log4j2.enableJndiJms</td> - <td>LOG4J_ENABLE_JNDI_JMS</td> <td>false</td> <td> When true, a Log4j JMS Appender that uses JNDI's java protocol is enabled. When false, the default, they are disabled. @@ -1401,7 +1398,6 @@ public class AwesomeTest { </tr> <tr> <td><a name="enableJndiLookup"/>log4j2.enableJndiLookup</td> - <td>LOG4J_ENABLE_JNDI_LOOKUP</td> <td>false</td> <td> When true, a Log4j lookup that uses JNDI's java protocol is enabled. When false, the default, they are disabled.
