This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new e2287322 Automatic Site Publish by Buildbot
e2287322 is described below
commit e2287322ee4d9b6cf4fada3e8b79b2b5bb08a9e8
Author: buildbot <[email protected]>
AuthorDate: Mon Nov 13 08:37:44 2023 +0000
Automatic Site Publish by Buildbot
---
content/blog/2023/10/11/release.html | 14 +-
content/blog/index.html | 14 +-
content/charter.html | 14 +-
content/dormant.html | 14 +-
content/feed.xml | 2 +-
content/guidelines.html | 14 +-
content/index.html | 14 +-
content/mailing-lists.html | 14 +-
content/security.html | 14 +-
.../10/11/release.html => security/index.html} | 115 +++-
content/security/known-vulnerabilities.html | 644 +++++++++++++++++++++
content/support.html | 426 ++++++++++++++
content/team-list.html | 14 +-
content/what-is-logging.html | 14 +-
14 files changed, 1285 insertions(+), 42 deletions(-)
diff --git a/content/blog/2023/10/11/release.html
b/content/blog/2023/10/11/release.html
index 04873f98..1f3f03f6 100644
--- a/content/blog/2023/10/11/release.html
+++ b/content/blog/2023/10/11/release.html
@@ -27,7 +27,7 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/mailing-lists.html">Mailing
lists</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
</li>
@@ -113,7 +113,17 @@
<ul class="nav">
<li><a href="/blog">Blog</a></li>
</ul>
-
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
<ul class="nav pull-right">
<li class="dropdown">
<a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
diff --git a/content/blog/index.html b/content/blog/index.html
index cd7407b0..aec62493 100644
--- a/content/blog/index.html
+++ b/content/blog/index.html
@@ -27,7 +27,7 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/mailing-lists.html">Mailing
lists</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
</li>
@@ -113,7 +113,17 @@
<ul class="nav">
<li><a href="/blog">Blog</a></li>
</ul>
-
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
<ul class="nav pull-right">
<li class="dropdown">
<a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
diff --git a/content/charter.html b/content/charter.html
index 73776b75..720f854c 100644
--- a/content/charter.html
+++ b/content/charter.html
@@ -27,7 +27,7 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/mailing-lists.html">Mailing
lists</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
</li>
@@ -113,7 +113,17 @@
<ul class="nav">
<li><a href="/blog">Blog</a></li>
</ul>
-
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
<ul class="nav pull-right">
<li class="dropdown">
<a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
diff --git a/content/dormant.html b/content/dormant.html
index 753db0c3..0c6d1337 100644
--- a/content/dormant.html
+++ b/content/dormant.html
@@ -27,7 +27,7 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/mailing-lists.html">Mailing
lists</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
</li>
@@ -113,7 +113,17 @@
<ul class="nav">
<li><a href="/blog">Blog</a></li>
</ul>
-
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
<ul class="nav pull-right">
<li class="dropdown">
<a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
diff --git a/content/feed.xml b/content/feed.xml
index 4147c1cf..5bbec46d 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?><feed
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/";
version="4.2.2">Jekyll</generator><link href="/feed.xml" rel="self"
type="application/atom+xml" /><link href="/" rel="alternate" type="text/html"
/><updated>2023-11-02T18:21:26+00:00</updated><id>/feed.xml</id><title
type="html">Apache Software Foundation - Logging
Services</title><subtitle>Write an awesome description for your new site here.
You can edit this line in _ [...]
+<?xml version="1.0" encoding="utf-8"?><feed
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/";
version="4.2.2">Jekyll</generator><link href="/feed.xml" rel="self"
type="application/atom+xml" /><link href="/" rel="alternate" type="text/html"
/><updated>2023-11-13T08:37:43+00:00</updated><id>/feed.xml</id><title
type="html">Apache Software Foundation - Logging
Services</title><subtitle>Write an awesome description for your new site here.
You can edit this line in _ [...]
<h2 id="release">Release</h2>
<div class="sectionbody">
<div class="paragraph">
diff --git a/content/guidelines.html b/content/guidelines.html
index 52511860..4c1ff722 100644
--- a/content/guidelines.html
+++ b/content/guidelines.html
@@ -27,7 +27,7 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/mailing-lists.html">Mailing
lists</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
</li>
@@ -113,7 +113,17 @@
<ul class="nav">
<li><a href="/blog">Blog</a></li>
</ul>
-
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
<ul class="nav pull-right">
<li class="dropdown">
<a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
diff --git a/content/index.html b/content/index.html
index ca0abcdd..b9b4025e 100644
--- a/content/index.html
+++ b/content/index.html
@@ -27,7 +27,7 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/mailing-lists.html">Mailing
lists</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
</li>
@@ -113,7 +113,17 @@
<ul class="nav">
<li><a href="/blog">Blog</a></li>
</ul>
-
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
<ul class="nav pull-right">
<li class="dropdown">
<a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
diff --git a/content/mailing-lists.html b/content/mailing-lists.html
index fd40e43f..65cecfed 100644
--- a/content/mailing-lists.html
+++ b/content/mailing-lists.html
@@ -27,7 +27,7 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/mailing-lists.html">Mailing
lists</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
</li>
@@ -113,7 +113,17 @@
<ul class="nav">
<li><a href="/blog">Blog</a></li>
</ul>
-
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
<ul class="nav pull-right">
<li class="dropdown">
<a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
diff --git a/content/security.html b/content/security.html
index ecd88527..8f5cc7d1 100644
--- a/content/security.html
+++ b/content/security.html
@@ -27,7 +27,7 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/mailing-lists.html">Mailing
lists</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
</li>
@@ -113,7 +113,17 @@
<ul class="nav">
<li><a href="/blog">Blog</a></li>
</ul>
-
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
<ul class="nav pull-right">
<li class="dropdown">
<a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
diff --git a/content/blog/2023/10/11/release.html b/content/security/index.html
similarity index 59%
copy from content/blog/2023/10/11/release.html
copy to content/security/index.html
index 04873f98..1bf8ae22 100644
--- a/content/blog/2023/10/11/release.html
+++ b/content/security/index.html
@@ -27,7 +27,7 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/mailing-lists.html">Mailing
lists</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
</li>
@@ -113,7 +113,17 @@
<ul class="nav">
<li><a href="/blog">Blog</a></li>
</ul>
-
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
<ul class="nav pull-right">
<li class="dropdown">
<a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
@@ -135,37 +145,100 @@
<div class="container">
<div class="content">
- <div class="hero-unit">
-
-
- <h1>Log4j 2.21.0 released</h1>
- <p>We are pleased to announce the Log4j 2.21.0 release!</p>
- </div>
- <time itemprop="datePublished" datetime="2023-10-11">
- 11 Oct 2023
- </time>
-
- <div itemprop="text"><div class="sect1">
-<h2 id="release">Release</h2>
+ <div class="sect1">
+<h2 id="security">Security</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>The Apache Logging Services Security Team takes security seriously.
+This allows our users to place their trust in Log4j for protecting their
mission-critical data.
+In this page we will help you find guidance on security-related issues and
access to known vulnerabilities.</p>
+</div>
+<div class="admonitionblock warning">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Warning</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p><a href="http://logging.apache.org/log4j/1.x";>Log4j 1</a> has <a
href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces";>reached
End of Life</a> in 2015, and is no longer supported.
+Vulnerabilities reported after August 2015 against Log4j 1 are not checked and
will not be fixed.
+Users should <a href="manual/migration.html">upgrade to Log4j 2</a> to obtain
security fixes.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="support">Getting support</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>If you need help on building or configuring any logging component such as
Log4j or other help on following the instructions to mitigate the known
vulnerabilities listed here, please use our <a
href="../support.html#discussions">user support channels</a>.</p>
+</div>
+<div class="admonitionblock tip">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Tip</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>If you need to apply a source code patch, use the building instructions for
the Log4j version that you are using.
+These instructions can be found in <code>BUILDING.md</code> distributed with
the sources.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="reporting">Reporting vulnerabilities</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has a security impact, or if the descriptions here
are incomplete, please report them <strong>privately</strong> to <a
href="mailto:[email protected]";>the Logging Services Security
Team</a>.</p>
+</div>
+<div class="admonitionblock warning">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Warning</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>The threat model that Log4j uses considers configuration files as safe
input controlled by the programmer; <strong>potential vulnerabilities that
require the ability to modify a configuration are not considered
vulnerabilities</strong> as the required access to do so implies the attacker
can execute arbitrary code.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="policy">Vulnerability handling policy</h2>
<div class="sectionbody">
<div class="paragraph">
-<p>The Apache Log4j 2 team is pleased to announce the Log4j 2.21.0 release!</p>
+<p>The Apache Logging Services Security Team follows the <a
href="https://www.apache.org/security/committers.html";>ASF Project Security</a>
guide for handling security vulnerabilities.</p>
</div>
<div class="paragraph">
-<p>It contains many improvements over the previous version. Most notably,
it…​</p>
+<p>Reported security vulnerabilities are subject to voting (by means of <a
href="https://logging.apache.org/guidelines.html";><em>lazy approval</em></a>,
preferably) in the private <a
href="mailto:[email protected]";>security mailing list</a> before
creating a CVE and populating its associated content.
+This procedure involves only the creation of CVEs and blocks neither
(vulnerability) fixes, nor releases.</p>
</div>
</div>
</div>
<div class="sect1">
-<h2 id="changes">Changes</h2>
+<h2 id="vdr">Vulnerability Disclosure Report (VDR)</h2>
<div class="sectionbody">
<div class="paragraph">
-<p>sss</p>
+<p>Starting with version <code>2.22.0</code>, Log4j distributes <a
href="https://cyclonedx.org/capabilities/vdr";>CycloneDX Software Bill of
Materials (SBOM)</a> along with each deployed artifact.
+Produced SBOMs contain BOM-links referring to a <a
href="https://cyclonedx.org/capabilities/vdr";>CycloneDX Vulnerability
Disclosure Report (VDR)</a> that Apache Logging Services uses for all projects
it maintains.
+All this is streamlined by <code>logging-parent</code>, see <a
href="https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom";>its
website</a> for details.</p>
+</div>
</div>
</div>
-</div></div>
</div>
-
<div class="footer">
<p>
@@ -184,4 +257,4 @@
</div>
</body>
-</html>
\ No newline at end of file
+</html>
diff --git a/content/security/known-vulnerabilities.html
b/content/security/known-vulnerabilities.html
new file mode 100644
index 00000000..d629e928
--- /dev/null
+++ b/content/security/known-vulnerabilities.html
@@ -0,0 +1,644 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+ <title>Apache Logging Services</title>
+
+ <link href="/css/asciidoctor-default.css" rel="stylesheet" type="text/css"
/>
+ <link href="/css/bootstrap.min.css" rel="stylesheet" type="text/css" />
+ <link href="/css/site.css" rel="stylesheet" type="text/css" />
+
+ <script src="/js/jquery.min.js"></script>
+ <script src="/js/bootstrap.min.js"></script>
+ <script src="/js/site.js"></script>
+ <link rel="alternate" type="application/rss+xml" title="ASF Loggin
Services" href="/feed.xml">
+</head>
+
+
+<body>
+<div class="navbar">
+ <div class="navbar-inner">
+ <div class="container">
+ <a class="brand" href="/">Apache Logging Services™</a>
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">About<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/guidelines.html">Guidelines</a></li>
+ <li><a href="/charter.html">Charter</a></li>
+ <li><a href="/team-list.html">Team</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
+ <li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
+ <li><a href="/what-is-logging.html">What is
logging?</a>
+ </li>
+ </ul>
+ </li>
+ </ul>
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Projects<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+
+ <li><a href="/log4j/2.x/index.html">Apache
Log4j™</a></li>
+
+
+
+ <li><a href="/log4j/kotlin/index.html">Apache
Log4j™ for Kotlin</a></li>
+
+
+
+ <li><a href="/log4j/scala/index.html">Apache
Log4j™ for Scala</a></li>
+
+
+
+ <li><a href="/log4cxx">Apache log4cxx</a></li>
+
+
+
+ <li><a href="/chainsaw/2.x/index.html">Apache
chainsaw</a></li>
+
+
+
+ <li><a
href="/log4j-audit/latest/index.html">Apache Log4j Audit</a></li>
+
+
+
+ <li><a href="/log4net">Apache Log4Net</a></li>
+
+
+
+
+
+
+
+
+ </ul>
+ </li>
+ </ul>
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Dormant<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ <li><a href="/log4j/1.2/index.html">Apache Log4j
1.x</a></li>
+
+
+
+ <li><a href="/log4j/extras/index.html">Apache
log4j 1 extras</a></li>
+
+
+
+ <li><a href="/log4php">Apache log4php</a></li>
+
+
+ </ul>
+ </li>
+ </ul>
+ <ul class="nav">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
+ <ul class="nav pull-right">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a target="_blank"
href="https://www.apache.org/";>Home</a></li>
+ <li><a target="_blank"
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
+ <li><a target="_blank"
href="https://www.apache.org/licenses/";>License</a></li>
+ <li><a target="_blank"
href="https://www.apache.org/foundation/thanks.html";>Thanks</a></li>
+ <li><a target="_blank"
href="https://www.apache.org/events/current-event.html";>Current Events</a></li>
+ <li><a target="_blank"
href="https://www.apache.org/security/";>Security</a></li>
+ <li><a target="_blank"
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy</a></li>
+ </ul>
+ </li>
+ </ul>
+ </div>
+ </div>
+</div>
+
+
+<div class="container">
+ <div class="content">
+ <div class="sect1">
+<h2 id="vulnerabilities">Known vulnerabilities</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>The Logging Services Security Team believes that accuracy, completeness and
availability of security information is essential for our users.
+We choose to pool all information on this one page, allowing easy searching
for security vulnerabilities over a range of criteria.</p>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>We adhere to <a
href="https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html";>the
Maven version range syntax</a> while sharing versions of affected components.
+We only extend this mathematical notation with set union operator (i.e.,
<code>∪</code>) to denote union of multiple ranges.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="sect2">
+<h3 id="CVE-2021-44832"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832";>CVE-2021-44832</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">JDBC
appender is vulnerable to remote code execution in certain
configurations</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.6 MEDIUM
(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta7, 2.3.2) ∪ [2.4, 2.12.4) ∪ [2.13.0,
2.17.1)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for
Java 7), or <code>2.17.1</code> (for Java 8 and later)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2021-44832-description">Description</h4>
+<div class="paragraph">
+<p>An attacker with write access to the logging configuration can construct a
malicious configuration using a JDBC Appender with a data source referencing a
JNDI URI which can execute remote code.
+This issue is fixed by limiting JNDI data source names to the
<code>java</code> protocol.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-44832-mitigation">Mitigation</h4>
+<div class="paragraph">
+<p>Upgrade to <code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for Java
7), or <code>2.17.1</code> (for Java 8 and later).</p>
+</div>
+<div class="paragraph">
+<p>In prior releases confirm that if the JDBC Appender is being used it is not
configured to use any protocol other than <code>java</code>.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-44832-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832";>CVE-2021-44832</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2021-45105"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105";>CVE-2021-45105</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Infinite
recursion in lookup evaluation</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">5.9 MEDIUM
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-alpha1, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0,
2.17.0)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2021-45105-description">Description</h4>
+<div class="paragraph">
+<p>Log4j versions <code>2.0-alpha1</code> through <code>2.16.0</code>
(excluding <code>2.3.1</code> and <code>2.12.3</code>), did not protect from
uncontrolled recursion that can be implemented using self-referential lookups.
+When the logging configuration uses a non-default Pattern Layout with a
Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with
control over Thread Context Map (MDC) input data can craft malicious input data
that contains a recursive lookup, resulting in a
<code>StackOverflowError</code> that will terminate the process.
+This is also known as a <em>DoS (Denial-of-Service)</em> attack.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-45105-mitigation">Mitigation</h4>
+<div class="paragraph">
+<p>Upgrade to <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java
7), or <code>2.17.0</code> (for Java 8 and later).</p>
+</div>
+<div class="paragraph">
+<p>Alternatively, this infinite recursion issue can be mitigated in
configuration:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>In PatternLayout in the logging configuration, replace Context Lookups like
<code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> with Thread Context
Map patterns (<code>%X</code>, <code>%mdc</code>, or <code>%MDC</code>).</p>
+</li>
+<li>
+<p>Otherwise, in the configuration, remove references to Context Lookups like
<code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> where they originate
+from sources external to the application such as HTTP headers or user input.
+Note that this mitigation is insufficient in releases older than
<code>2.12.2</code> (for Java 7), and <code>2.16.0</code> (for Java 8 and
later) as the issues fixed in those releases will still be present.</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>Note that only the <code>log4j-core</code> JAR file is impacted by this
vulnerability.
+Applications using only the <code>log4j-api</code> JAR file without the
<code>log4j-core</code> JAR file are not impacted by this vulnerability.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-45105-credits">Credits</h4>
+<div class="paragraph">
+<p>Independently discovered by Hideki Okamoto of Akamai Technologies, Guy
Lederfein of Trend Micro Research working with Trend Micro’s Zero Day
Initiative, and another anonymous vulnerability researcher.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-45105-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105";>CVE-2021-45105</a></p>
+</li>
+<li>
+<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-3230";>LOG4J2-3230</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2021-45046"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046";>CVE-2021-45046</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Thread
Context Lookup is vulnerable to remote code execution in certain
configurations</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">9.0
CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0,
2.17.0)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2021-45046-description">Description</h4>
+<div class="paragraph">
+<p>It was found that the fix to address <a
href="#CVE-2021-44228">CVE-2021-44228</a> in Log4j <code>2.15.0</code> was
incomplete in certain non-default configurations.
+When the logging configuration uses a non-default Pattern Layout with a Thread
Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with
control over Thread Context Map (MDC) can craft malicious input data using a
JNDI Lookup pattern, resulting in an information leak and remote code execution
in some environments and local code execution in all environments.
+Remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and
Alpine Linux.</p>
+</div>
+<div class="paragraph">
+<p>Note that this vulnerability is not limited to just the JNDI lookup.
+Any other Lookup could also be included in a Thread Context Map variable and
possibly have private details exposed to anyone with access to the logs.</p>
+</div>
+<div class="paragraph">
+<p>Note that only the <code>log4j-core</code> JAR file is impacted by this
vulnerability.
+Applications using only the <code>log4j-api</code> JAR file without the
<code>log4j-core</code> JAR file are not impacted by this vulnerability.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-45046-mitigation">Mitigation</h4>
+<div class="paragraph">
+<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), or <code>2.17.0</code> (for Java 8 and later).</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-45046-credits">Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Kai Mindermann of iC Consult and separately by
4ra1n.</p>
+</div>
+<div class="paragraph">
+<p>Additional vulnerability details discovered independently by Ash Fox of
Google, Alvaro Muñoz and Tony Torralba from GitHub, Anthony Weems of
Praetorian, and RyotaK (@ryotkak).</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-45046-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046";>CVE-2021-45046</a></p>
+</li>
+<li>
+<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-3221";>LOG4J2-3221</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2021-44228"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228";>CVE-2021-44228</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">JNDI
lookup can be exploited to execute arbitrary code loaded from an LDAP
server</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">10.0
CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0,
2.17.0)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2021-44228-description">Description</h4>
+<div class="paragraph">
+<p>In Log4j, the JNDI features used in configurations, log messages, and
parameters do not protect against attacker-controlled LDAP and other JNDI
related endpoints.
+An attacker who can control log messages or log message parameters can execute
arbitrary code loaded from LDAP servers.</p>
+</div>
+<div class="paragraph">
+<p>Note that only the <code>log4j-core</code> JAR file is impacted by this
vulnerability.
+Applications using only the <code>log4j-api</code> JAR file without the
<code>log4j-core</code> JAR file are not impacted by this vulnerability.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-44228-mitigation">Mitigation</h4>
+<div class="sect4">
+<h5 id="CVE-2021-44228-mitigation-log4j1">Log4j 1 mitigation</h5>
+<div class="admonitionblock warning">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Warning</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p><a href="http://logging.apache.org/log4j/1.x";>Log4j 1</a> has <a
href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces";>reached
End of Life</a> in 2015, and is no longer supported.
+Vulnerabilities reported after August 2015 against Log4j 1 are not checked and
will not be fixed.
+Users should <a href="manual/migration.html">upgrade to Log4j 2</a> to obtain
security fixes.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="paragraph">
+<p>Log4j 1 does not have Lookups, so the risk is lower.
+Applications using Log4j 1 are only vulnerable to this attack when they use
JNDI in their configuration.
+A separate CVE (<a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-4104";>CVE-2021-4104</a>) has
been filed for this vulnerability.
+To mitigate, audit your logging configuration to ensure it has no
<code>JMSAppender</code> configured.
+Log4j 1 configurations without <code>JMSAppender</code> are not impacted by
this vulnerability.</p>
+</div>
+</div>
+<div class="sect4">
+<h5 id="CVE-2021-44228-mitigation-log4j2">Log4j 2 mitigation</h5>
+<div class="paragraph">
+<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), or <code>2.17.0</code> (for Java 8 and later).</p>
+</div>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-44228-credits">Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Chen Zhaojun of Alibaba Cloud Security
Team.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-44228-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228";>CVE-2021-44228</a></p>
+</li>
+<li>
+<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-3198";>LOG4J2-3198</a></p>
+</li>
+<li>
+<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-3201";>LOG4J2-3201</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2020-9488"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488";>CVE-2020-9488</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Improper
validation of certificate with host mismatch in SMTP appender</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">3.7 LOW
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta1, 2.12.3) ∪ [2.13.1, 2.13.2)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.12.3</code> (Java 7) and <code>2.13.2</code> (Java 8
and later)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2020-9488-description">Description</h4>
+<div class="paragraph">
+<p>Improper validation of certificate with host mismatch in SMTP appender.
+This could allow an SMTPS connection to be intercepted by a man-in-the-middle
attack which could leak any log
+messages sent through that appender.</p>
+</div>
+<div class="paragraph">
+<p>The reported issue was caused by an error in <code>SslConfiguration</code>.
+Any element using <code>SslConfiguration</code> in the Log4j
<code>Configuration</code> is also affected by this issue.
+This includes <code>HttpAppender</code>, <code>SocketAppender</code>, and
<code>SyslogAppender</code>.
+Usages of <code>SslConfiguration</code> that are configured via system
properties are not affected.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2020-9488-mitigation">Mitigation</h4>
+<div class="paragraph">
+<p>Upgrade to <code>2.12.3</code> (Java 7) or <code>2.13.2</code> (Java 8 and
later).</p>
+</div>
+<div class="paragraph">
+<p>Alternatively, users can set the
<code>mail.smtp.ssl.checkserveridentity</code> system property to
<code>true</code> to enable SMTPS hostname verification for all SMTPS mail
sessions.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2020-9488-credits">Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Peter Stöckli.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2020-9488-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488";>CVE-2020-9488</a></p>
+</li>
+<li>
+<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-2819";>LOG4J2-2819</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2017-5645"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645";>CVE-2017-5645</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">TCP/UDP
socket servers can be exploited to execute arbitrary code</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 2.0
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">7.5 HIGH
(AV:N/AC:L/Au:N/C:P/I:P/A:P)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-alpha1, 2.8.2)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.8.2</code> (Java 7)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2017-5645-description">Description</h4>
+<div class="paragraph">
+<p>When using the TCP socket server or UDP socket server to receive serialized
log events from another application, a specially crafted binary payload can be
sent that, when deserialized, can execute arbitrary code.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2017-5645-mitigation">Mitigation</h4>
+<div class="paragraph">
+<p>Java 7 and above users should migrate to version <code>2.8.2</code> or
avoid using the socket server classes.
+Java 6 users should avoid using the TCP or UDP socket server classes, or they
can manually backport <a
href="https://github.com/apache/logging-log4j2/commit/5dcc192";>the security fix
commit</a> from <code>2.8.2</code>.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2017-5645-credits">Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Marcio Almeida de Macedo of Red Team at
Telstra.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2017-5645-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645";>CVE-2017-5645</a></p>
+</li>
+<li>
+<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-1863";>LOG4J2-1863</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4j2/commit/5dcc192";>Security
fix commit</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+</div>
+</div>
+ </div>
+
+<div class="footer">
+ <p>
+ Copyright © 2017-2023 <a href="https://www.apache.org";
target="external">The Apache Software Foundation</a>.
+ Licensed under the <a
href="https://www.apache.org/licenses/LICENSE-2.0";
+ target="external">Apache Software License, Version 2.0</a> Please
read our <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>privacy
policy</a>.
+ </p><p>
+ Apache, Apache chainsaw, Apache log4cxx, Apache log4j, Apache
log4net, Apache log4php and the Apache
+ feather logo are trademarks of The Apache Software Foundation.
Oracle and Java are registered trademarks
+ of Oracle and/or its affiliates. Other names may be trademarks of
their respective owners.
+ </p><p>
+ Site powered by <a href="https://getbootstrap.com/";
target="external">Bootstrap</a>
+ and <a href="https://jquery.com/"; target="external">jQuery</a>.
+ </p>
+</div>
+
+</div>
+</body>
+</html>
diff --git a/content/support.html b/content/support.html
new file mode 100644
index 00000000..2009f73f
--- /dev/null
+++ b/content/support.html
@@ -0,0 +1,426 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+ <title>Apache Logging Services</title>
+
+ <link href="/css/asciidoctor-default.css" rel="stylesheet" type="text/css"
/>
+ <link href="/css/bootstrap.min.css" rel="stylesheet" type="text/css" />
+ <link href="/css/site.css" rel="stylesheet" type="text/css" />
+
+ <script src="/js/jquery.min.js"></script>
+ <script src="/js/bootstrap.min.js"></script>
+ <script src="/js/site.js"></script>
+ <link rel="alternate" type="application/rss+xml" title="ASF Loggin
Services" href="/feed.xml">
+</head>
+
+
+<body>
+<div class="navbar">
+ <div class="navbar-inner">
+ <div class="container">
+ <a class="brand" href="/">Apache Logging Services™</a>
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">About<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/guidelines.html">Guidelines</a></li>
+ <li><a href="/charter.html">Charter</a></li>
+ <li><a href="/team-list.html">Team</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
+ <li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
+ <li><a href="/what-is-logging.html">What is
logging?</a>
+ </li>
+ </ul>
+ </li>
+ </ul>
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Projects<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+
+ <li><a href="/log4j/2.x/index.html">Apache
Log4j™</a></li>
+
+
+
+ <li><a href="/log4j/kotlin/index.html">Apache
Log4j™ for Kotlin</a></li>
+
+
+
+ <li><a href="/log4j/scala/index.html">Apache
Log4j™ for Scala</a></li>
+
+
+
+ <li><a href="/log4cxx">Apache log4cxx</a></li>
+
+
+
+ <li><a href="/chainsaw/2.x/index.html">Apache
chainsaw</a></li>
+
+
+
+ <li><a
href="/log4j-audit/latest/index.html">Apache Log4j Audit</a></li>
+
+
+
+ <li><a href="/log4net">Apache Log4Net</a></li>
+
+
+
+
+
+
+
+
+ </ul>
+ </li>
+ </ul>
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Dormant<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ <li><a href="/log4j/1.2/index.html">Apache Log4j
1.x</a></li>
+
+
+
+ <li><a href="/log4j/extras/index.html">Apache
log4j 1 extras</a></li>
+
+
+
+ <li><a href="/log4php">Apache log4php</a></li>
+
+
+ </ul>
+ </li>
+ </ul>
+ <ul class="nav">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
+ <ul class="nav pull-right">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a target="_blank"
href="https://www.apache.org/";>Home</a></li>
+ <li><a target="_blank"
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
+ <li><a target="_blank"
href="https://www.apache.org/licenses/";>License</a></li>
+ <li><a target="_blank"
href="https://www.apache.org/foundation/thanks.html";>Thanks</a></li>
+ <li><a target="_blank"
href="https://www.apache.org/events/current-event.html";>Current Events</a></li>
+ <li><a target="_blank"
href="https://www.apache.org/security/";>Security</a></li>
+ <li><a target="_blank"
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy</a></li>
+ </ul>
+ </li>
+ </ul>
+ </div>
+ </div>
+</div>
+
+
+<div class="container">
+ <div class="content">
+ <div id="preamble">
+<div class="sectionbody">
+<div class="paragraph">
+<p>The Apache Software Foundation does not employ individuals to develop and
support any of its projects.
+The individuals who contribute to Apache projects do it either as part of
specific tasks assigned to them by their employer, on their own initiative to
benefit their employer, or on their own free time.</p>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="discussions">User support</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>If you have questions like:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><em>"How do I configure Log4j with the file appender?"</em></p>
+</li>
+<li>
+<p><em>"My layout is not working as expected; what should I do?"</em></p>
+</li>
+<li>
+<p><em>"How can I migrate from Log4j 1 with this custom
configuration?"</em></p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>We urge you to first check our <a href="faq.html">FAQ</a> to see if it has
already been answered.
+If not, you can ask your questions on one of our official user support
channels:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><a href="https://github.com/apache/logging-log4j2/discussions";>GitHub
Discussions</a> (<strong>experimental</strong>)</p>
+</li>
+<li>
+<p><code>[email protected]</code> mailing list (public | <a
href="mailto:[email protected]";>subscribe</a> | <a
href="mailto:[email protected]";>unsubscribe</a> | <a
href="mailto:[email protected]";>post</a> | <a
href="https://lists.apache.org/list.html?log4j-user@logging.apache.org";>archive</a>)</p>
+</li>
+</ul>
+</div>
+<div class="admonitionblock warning">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Warning</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p><strong>You are expected to be subscribed</strong> to a mailing list to
receive replies to your posted questions!
+If you are not subscribed, when you post an email, it will be subject to
moderation (hence, will be distributed with a delay) and the only way you would
be able to follow the conversation is to use the mailing list archive.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="admonitionblock warning">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Warning</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>Messages sent to a public mailing list will be seen by many people and also
re-published by 3rd party websites.
+It is usually not possible to remove them.
+Please <strong>don’t send mails containing confidential
information</strong> to public mailing lists.
+For more information, please see the <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>privacy
policy</a></p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><a href="http://stackoverflow.com";>Stack Overflow</a> (use <a
href="http://stackoverflow.com/questions/tagged/log4j";>log4j</a> or <a
href="http://stackoverflow.com/questions/tagged/log4j2";>log4j2</a> tags)</p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="maintainer-discussions">Maintainer discussions</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>Apache Log4j project officially uses mailing lists for discussions related
to maintenance and development.</p>
+</div>
+<div class="admonitionblock warning">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Warning</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p><strong>You are expected to be subscribed</strong> to a mailing list to
receive replies to your posted questions!
+If you are not subscribed, when you post an email, it will be subject to
moderation (hence, will be distributed with a delay) and the only way you would
be able to follow the conversation is to use the mailing list archive.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="paragraph">
+<p>If you have questions or feedback like:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>A class should have public visibility instead of package-scoped</p>
+</li>
+<li>
+<p>A plugin is missing configuration options</p>
+</li>
+<li>
+<p>You found a bug</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>then please contact us using the following mailing lists:</p>
+</div>
+<div class="dlist">
+<dl>
+<dt class="hdlist1"><code>[email protected]</code> (public | <a
href="mailto:[email protected]";>subscribe</a> | <a
href="mailto:[email protected]";>unsubscribe</a> | <a
href="mailto:[email protected]";>post</a> | <a
href="https://lists.apache.org/list.html?dev@logging.apache.org";>archive</a>)</dt>
+<dd>
+<p>For <em>development</em> discussions
+(Please prefix subjects with <code>[log4j]</code> when starting a new
thread!)</p>
+</dd>
+</dl>
+</div>
+<div class="admonitionblock warning">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Warning</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>Messages sent to a public mailing list will be seen by many people and also
re-published by 3rd party websites.
+It is usually not possible to remove them.
+Please <strong>don’t send mails containing confidential
information</strong> to public mailing lists.
+For more information, please see the <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>privacy
policy</a></p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="dlist">
+<dl>
+<dt class="hdlist1"><code>[email protected]</code> (private | <a
href="mailto:[email protected]";>post</a>)</dt>
+<dd>
+<p>For reporting unlisted <strong>security vulnerabilities</strong> or other
unexpected behaviour that has a security impact</p>
+</dd>
+<dt class="hdlist1"><code>[email protected]</code> (private | <a
href="mailto:[email protected]";>post</a>)</dt>
+<dd>
+<p>For the discussion of confidential topics within the Apache Logging
Services project management committee.</p>
+</dd>
+</dl>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="issues">Issues</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>The Log4j project uses <a
href="https://github.com/apache/logging-log4j2/issues";>GitHub Issues</a> as its
issue tracking system.
+The old issue tracking system, <a
href="https://issues.apache.org/jira/projects/LOG4J2";>JIRA</a>, is still
accessible, though only recommended for issues that were already created
there.</p>
+</div>
+<div class="paragraph">
+<p>Issues get resolved in one of the following ways:</p>
+</div>
+<div class="olist arabic">
+<ol class="arabic">
+<li>
+<p>The reporter or another interested party provides <a
href="https://github.com/apache/logging-log4j2/pulls";>a pull request</a>
tagging the issue in its title</p>
+</li>
+<li>
+<p>A committer is interested in the issue and decides to work on it</p>
+</li>
+<li>
+<p>The reporter or another interested party sponsors one or more of <a
href="#sponsorship">the committers listed below</a> to encourage them to work
on the issue</p>
+</li>
+</ol>
+</div>
+<div class="paragraph">
+<p>Created issues are subject to the following policy:</p>
+</div>
+<div class="dlist">
+<dl>
+<dt class="hdlist1">Quality</dt>
+<dd>
+<p>Issues posted of insufficient quality will be removed</p>
+</dd>
+<dt class="hdlist1">No protracted discussions</dt>
+<dd>
+<p>Issues likely to result in protracted discussion must be posted to the
mailing lists</p>
+</dd>
+<dt class="hdlist1">No Questions</dt>
+<dd>
+<p>Do not post questions as issues!
+These will be removed, and you will be asked to post questions to the mailing
lists instead.</p>
+</dd>
+</dl>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="sponsorship">Sponsorship</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>Sponsorship can be used simply as a way to say thank you for the work that
has been done or as a way to encourage specific issues to be worked on.
+In either case, while the Apache Logging Services project thanks you for your
support, we cannot be responsible for any promises and/or contributions made by
an individual committer, as individual commits must be reviewed and accepted by
the project team.</p>
+</div>
+<div class="sect2">
+<h3 id="committers-accepting-github-sponsorship">Committers accepting GitHub
Sponsorship</h3>
+<div class="ulist">
+<ul>
+<li>
+<p><a href="https://github.com/carterkozak";>Carter Kozak</a></p>
+</li>
+<li>
+<p><a href="https://github.com/garydgregory";>Gary Gregory</a></p>
+</li>
+<li>
+<p><a href="https://github.com/jvz";>Matt Sicker</a></p>
+</li>
+<li>
+<p><a href="https://github.com/ppkarwasz";>Piotr P. Karwasz</a></p>
+</li>
+<li>
+<p><a href="https://github.com/rgoers";>Ralph Goers</a></p>
+</li>
+<li>
+<p><a href="https://github.com/vy";>Volkan Yazıcı</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="commercial">Third-party commercial support</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>While neither the Apache Software Foundation nor the Apache Logging
Services project provide any commercial support for the Log4j products,
individual committers may collaborate with services that provide such
support.</p>
+</div>
+<div class="paragraph">
+<p>The following aims to be a list of all commercial support services
involving one or more Log4j committers.</p>
+</div>
+<div class="sect2">
+<h3 id="tidelift">Tidelift</h3>
+<div class="paragraph">
+<p>Some Log4j maintainers receive funding from Tidelift for their maintenance
efforts.
+See <a href="https://tidelift.com";>the Tidelift website</a> for details.</p>
+</div>
+</div>
+</div>
+</div>
+ </div>
+
+<div class="footer">
+ <p>
+ Copyright © 2017-2023 <a href="https://www.apache.org";
target="external">The Apache Software Foundation</a>.
+ Licensed under the <a
href="https://www.apache.org/licenses/LICENSE-2.0";
+ target="external">Apache Software License, Version 2.0</a> Please
read our <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>privacy
policy</a>.
+ </p><p>
+ Apache, Apache chainsaw, Apache log4cxx, Apache log4j, Apache
log4net, Apache log4php and the Apache
+ feather logo are trademarks of The Apache Software Foundation.
Oracle and Java are registered trademarks
+ of Oracle and/or its affiliates. Other names may be trademarks of
their respective owners.
+ </p><p>
+ Site powered by <a href="https://getbootstrap.com/";
target="external">Bootstrap</a>
+ and <a href="https://jquery.com/"; target="external">jQuery</a>.
+ </p>
+</div>
+
+</div>
+</body>
+</html>
diff --git a/content/team-list.html b/content/team-list.html
index c7c41872..f6a256a9 100644
--- a/content/team-list.html
+++ b/content/team-list.html
@@ -27,7 +27,7 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/mailing-lists.html">Mailing
lists</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
</li>
@@ -113,7 +113,17 @@
<ul class="nav">
<li><a href="/blog">Blog</a></li>
</ul>
-
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
<ul class="nav pull-right">
<li class="dropdown">
<a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
diff --git a/content/what-is-logging.html b/content/what-is-logging.html
index b95095b0..a38b4ee9 100644
--- a/content/what-is-logging.html
+++ b/content/what-is-logging.html
@@ -27,7 +27,7 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/mailing-lists.html">Mailing
lists</a></li>
+ <li><a href="/support.html">Support & Help</a></li>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
</li>
@@ -113,7 +113,17 @@
<ul class="nav">
<li><a href="/blog">Blog</a></li>
</ul>
-
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/security/">Handling Security</a></li>
+ <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
+ <li><a href="/activity-monitor/">Activity
Monitor</a></li>
+ </ul>
+ </li>
+ </ul>
+
<ul class="nav pull-right">
<li class="dropdown">
<a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
