This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 12657ef2 Automatic Site Publish by Buildbot
12657ef2 is described below
commit 12657ef2931fffc79af2df1d8d4532490dd6e1e8
Author: buildbot <[email protected]>
AuthorDate: Wed Apr 17 14:22:21 2024 +0000
Automatic Site Publish by Buildbot
---
.../2023/11/17/flume-joins-logging-services.html | 15 +-
content/blog/2023/11/28/new-pmc-member.html | 15 +-
.../2023/12/02/apache-common-logging-1.3.0.html | 15 +-
.../12/14/announcing-support-from-the-stf.html | 15 +-
.../blog/2023/12/18/20-years-of-innovation.html | 15 +-
content/blog/index.html | 15 +-
content/charter.html | 15 +-
content/dormant.html | 15 +-
content/download.html | 43 +-
content/feed.xml | 2 +-
content/guidelines.html | 15 +-
content/index.html | 15 +-
content/mailing-lists.html | 15 +-
content/processes.html | 15 +-
content/security.html | 631 +++++++++++++++++++--
content/security/index.html | 207 -------
content/security/known-vulnerabilities.html | 591 -------------------
content/support.html | 166 +++---
content/team-list.html | 15 +-
content/what-is-logging.html | 15 +-
content/xml/ns/index.html | 15 +-
21 files changed, 781 insertions(+), 1084 deletions(-)
diff --git a/content/blog/2023/11/17/flume-joins-logging-services.html
b/content/blog/2023/11/17/flume-joins-logging-services.html
index 3beeb78d..3b56e641 100644
--- a/content/blog/2023/11/17/flume-joins-logging-services.html
+++ b/content/blog/2023/11/17/flume-joins-logging-services.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/blog/2023/11/28/new-pmc-member.html
b/content/blog/2023/11/28/new-pmc-member.html
index 1d2fc9b5..bf28916b 100644
--- a/content/blog/2023/11/28/new-pmc-member.html
+++ b/content/blog/2023/11/28/new-pmc-member.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/blog/2023/12/02/apache-common-logging-1.3.0.html
b/content/blog/2023/12/02/apache-common-logging-1.3.0.html
index 2026e9de..b08247b3 100644
--- a/content/blog/2023/12/02/apache-common-logging-1.3.0.html
+++ b/content/blog/2023/12/02/apache-common-logging-1.3.0.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/blog/2023/12/14/announcing-support-from-the-stf.html
b/content/blog/2023/12/14/announcing-support-from-the-stf.html
index 686bab4c..15d5fdf8 100644
--- a/content/blog/2023/12/14/announcing-support-from-the-stf.html
+++ b/content/blog/2023/12/14/announcing-support-from-the-stf.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/blog/2023/12/18/20-years-of-innovation.html
b/content/blog/2023/12/18/20-years-of-innovation.html
index 91a6e03a..b9bba104 100644
--- a/content/blog/2023/12/18/20-years-of-innovation.html
+++ b/content/blog/2023/12/18/20-years-of-innovation.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/blog/index.html b/content/blog/index.html
index 6913bdad..a8519e3c 100644
--- a/content/blog/index.html
+++ b/content/blog/index.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/charter.html b/content/charter.html
index d18a57ef..8da7b954 100644
--- a/content/charter.html
+++ b/content/charter.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/dormant.html b/content/dormant.html
index 0ee4a357..83e6c03b 100644
--- a/content/dormant.html
+++ b/content/dormant.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/download.html b/content/download.html
index ba466cf2..572a94fb 100644
--- a/content/download.html
+++ b/content/download.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
@@ -107,6 +102,21 @@
</dd>
</dl>
</div>
+<div class="admonitionblock important">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Important</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>All Logging Services projects distribute convenience binaries that are easy
to install for the programming language platform they target.
+You are strongly advised to <strong>check the installation instructions in the
website of the project</strong> (<a href="/log4cxx">Log4cxx</a>, <a
href="/log4j">Log4j</a>, <a href="/log4net">Log4net</a>, etc.) you are trying
to install.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
</div>
</div>
<div class="sect1">
@@ -129,6 +139,19 @@ shasum --check *.sha512</code></pre>
</div>
</div>
</div>
+</div>
+<div class="sect1">
+<h2 id="sbom">Software Bill of Materials (SBOM)</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>Many Logging Services projects distribute <a
href="https://cyclonedx.org/capabilities/vdr";>CycloneDX Software Bill of
Materials (SBOM)</a> along with each deployed artifact.
+This is streamlined by <a href="/logging-parent">Logging Parent</a> for
Maven-based projects.</p>
+</div>
+<div class="paragraph">
+<p>Produced SBOMs contain BOM-links referring to a <a
href="https://cyclonedx.org/capabilities/vdr";>CycloneDX Vulnerability
Disclosure Report (VDR)</a> that Apache Logging Services uses for all projects
it maintains.
+This VDR is accessible through the following URL: <a
href="https://logging.apache.org/cyclonedx/vdr.xml";
class="bare">https://logging.apache.org/cyclonedx/vdr.xml</a></p>
+</div>
+</div>
</div>
</div>
</div>
diff --git a/content/feed.xml b/content/feed.xml
index 2dc2a89d..646eed89 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?><feed
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/";
version="4.2.2">Jekyll</generator><link href="/feed.xml" rel="self"
type="application/atom+xml" /><link href="/" rel="alternate" type="text/html"
/><updated>2024-04-17T11:31:47+00:00</updated><id>/feed.xml</id><title
type="html">Apache Software Foundation - Logging
Services</title><subtitle>Write an awesome description for your new site here.
You can edit this line in _ [...]
+<?xml version="1.0" encoding="utf-8"?><feed
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/";
version="4.2.2">Jekyll</generator><link href="/feed.xml" rel="self"
type="application/atom+xml" /><link href="/" rel="alternate" type="text/html"
/><updated>2024-04-17T14:22:20+00:00</updated><id>/feed.xml</id><title
type="html">Apache Software Foundation - Logging
Services</title><subtitle>Write an awesome description for your new site here.
You can edit this line in _ [...]
<p>Today, December 17, 2023 marks a significant milestone for the Apache
Logging Services project,
as we celebrate 20 years since the inception of Log4j 1.
diff --git a/content/guidelines.html b/content/guidelines.html
index ef6fe09f..aae70f0f 100644
--- a/content/guidelines.html
+++ b/content/guidelines.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/index.html b/content/index.html
index 7419b657..c63af719 100644
--- a/content/index.html
+++ b/content/index.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/mailing-lists.html b/content/mailing-lists.html
index 05ee398a..232ce09c 100644
--- a/content/mailing-lists.html
+++ b/content/mailing-lists.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/processes.html b/content/processes.html
index cc7aba83..af34cf67 100644
--- a/content/processes.html
+++ b/content/processes.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/security.html b/content/security.html
index d6046d21..92a1c799 100644
--- a/content/security.html
+++ b/content/security.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
@@ -75,50 +70,578 @@
<div class="container">
<div class="content">
- <h2
id="reporting-new-security-problems-with-apache-logging-projectsh2">Reporting
New Security Problems with Apache Logging Projects</h2></h2>
-
-<p>The Apache Software Foundation takes a very active stance in eliminating
security problems and denial
-of service attacks against its products.</p>
-
-<p>We strongly encourage folks to report such problems to our private security
mailing list first,
-before disclosing them in a public forum.</p>
-
-<p>Please note that the security mailing list should only be used for
reporting undisclosed security
-vulnerabilities and managing the process of fixing such vulnerabilities. We
cannot accept regular
-bug reports or other queries at this address. All mail sent to this address
that does not relate
-to an undisclosed security problem in our source code will be ignored.</p>
-
-<p>If you need to report a bug that isn’t an undisclosed security
vulnerability, please use the
-project’s issue tracker.</p>
-
-<p>The private security mailing address is: <a
href="mailto:%73%65%63%75%72%69%74%79%40%61%70%61%63%68%65%2E%6F%72%67";>[email protected]</a></p>
-
-<h2 id="asking-questions-about-known-security-problems">Asking Questions About
Known Security Problems</h2>
-
-<p>Questions about:</p>
-
-<ol>
- <li>if a vulnerability applies to your particular application</li>
- <li>obtaining further information on a published vulnerability</li>
- <li>availability of patches and/or new releases</li>
-</ol>
-
-<p>should be addressed to the users mailing list. Please see the <a
href="/mailing-lists.html">mailing lists page</a>
-for details of how to subscribe.</p>
-
-<h2 id="known-security-vulnerabilities">Known Security Vulnerabilities</h2>
-
-<p>Known security vulnerabilities fixed in released versions of Apache Logging
projects are listed in
-specific pages for each project.</p>
-
-<p>If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has
-security impact, or if the descriptions in one of the pages are incomplete,
please report them
-privately to the Apache Security Team. Thank you.</p>
-
-<p>Errors and Ommissions</p>
-
-<p>Please report any errors or omissions to <a href="/mailing-lists.html">the
dev mailing list</a> .</p>
-
+ <div id="preamble">
+<div class="sectionbody">
+<div class="paragraph">
+<p>The Logging Services Security Team takes security seriously.
+This allows our users to place their trust in Log4j for protecting their
mission-critical data.
+In this page we will help you find guidance on security-related issues and
access to known vulnerabilities.</p>
+</div>
+<div class="admonitionblock warning">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Warning</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p><a href="/log4j/1.x">Log4j 1</a> has <a
href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces";>reached
End of Life</a> in 2015, and is no longer supported.
+Vulnerabilities reported after August 2015 against Log4j 1 are not checked and
will not be fixed.
+Users should <a href="/log4j/2.x/manual/migration.html">upgrade to Log4j 2</a>
to obtain security fixes.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="support">Getting support</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>If you need help on building or configuring Logging Services projects or
other help on following the instructions to mitigate the known vulnerabilities
listed here, please use our <a href="support.html#discussions">user support
channels</a>.</p>
+</div>
+<div class="admonitionblock tip">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Tip</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>If you need to apply a source code patch, use the building instructions for
the project version that you are using.
+These instructions can be found in <code>BUILDING.adoc</code>,
<code>BUILDING.md</code>, etc. files distributed with the sources.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="reporting">Reporting vulnerabilities</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has a security impact, or if the descriptions here
are incomplete, please report them <strong>privately</strong> to <a
href="mailto:[email protected]";>the Logging Services Security
Team</a>.</p>
+</div>
+<div class="admonitionblock warning">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Warning</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>The threat model that Log4j uses considers configuration files as safe
input controlled by the programmer; <strong>potential vulnerabilities that
require the ability to modify a configuration are not considered
vulnerabilities</strong> as the required access to do so implies the attacker
can execute arbitrary code.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="policy">Vulnerability handling policy</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>The Logging Services Security Team follows the <a
href="https://www.apache.org/security/committers.html";>ASF Project Security</a>
guide for handling security vulnerabilities.</p>
+</div>
+<div class="paragraph">
+<p>Reported security vulnerabilities are subject to voting (by means of <a
href="https://logging.apache.org/guidelines.html";><em>lazy approval</em></a>,
preferably) in the private <a
href="mailto:[email protected]";>security mailing list</a> before
creating a CVE and populating its associated content.
+This procedure involves only the creation of CVEs and blocks neither
(vulnerability) fixes, nor releases.</p>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="vdr">Vulnerability Disclosure Report (VDR)</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>Many Logging Services projects distribute <a
href="https://cyclonedx.org/capabilities/vdr";>CycloneDX Software Bill of
Materials (SBOM)</a> along with each deployed artifact.
+This is streamlined by <a href="/logging-parent">Logging Parent</a> for
Maven-based projects.</p>
+</div>
+<div class="paragraph">
+<p>Produced SBOMs contain BOM-links referring to a <a
href="https://cyclonedx.org/capabilities/vdr";>CycloneDX Vulnerability
Disclosure Report (VDR)</a> that Apache Logging Services uses for all projects
it maintains.
+This VDR is accessible through the following URL: <a
href="https://logging.apache.org/cyclonedx/vdr.xml";
class="bare">https://logging.apache.org/cyclonedx/vdr.xml</a></p>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="vulnerabilities">Known vulnerabilities</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>The Logging Services Security Team believes that accuracy, completeness and
availability of security information is essential for our users.
+We choose to pool all information on this one page, allowing easy searching
for security vulnerabilities over a range of criteria.</p>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>We adhere to <a
href="https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html";>the
Maven version range syntax</a> while sharing versions of affected components.
+We only extend this mathematical notation with set union operator (i.e.,
<code>∪</code>) to denote union of multiple ranges.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="sect2">
+<h3 id="CVE-2021-44832"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832";>CVE-2021-44832</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">JDBC
appender is vulnerable to remote code execution in certain
configurations</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.6 MEDIUM
(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta7, 2.3.2) ∪ [2.4, 2.12.4) ∪ [2.13.0,
2.17.1)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for
Java 7), or <code>2.17.1</code> (for Java 8 and later)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2021-44832-description">Description</h4>
+<div class="paragraph">
+<p>An attacker with write access to the logging configuration can construct a
malicious configuration using a JDBC Appender with a data source referencing a
JNDI URI which can execute remote code.
+This issue is fixed by limiting JNDI data source names to the
<code>java</code> protocol.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-44832-mitigation">Mitigation</h4>
+<div class="paragraph">
+<p>Upgrade to <code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for Java
7), or <code>2.17.1</code> (for Java 8 and later).</p>
+</div>
+<div class="paragraph">
+<p>In prior releases confirm that if the JDBC Appender is being used it is not
configured to use any protocol other than <code>java</code>.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-44832-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832";>CVE-2021-44832</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2021-45105"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105";>CVE-2021-45105</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Infinite
recursion in lookup evaluation</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">5.9 MEDIUM
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-alpha1, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0,
2.17.0)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2021-45105-description">Description</h4>
+<div class="paragraph">
+<p>Log4j versions <code>2.0-alpha1</code> through <code>2.16.0</code>
(excluding <code>2.3.1</code> and <code>2.12.3</code>), did not protect from
uncontrolled recursion that can be implemented using self-referential lookups.
+When the logging configuration uses a non-default Pattern Layout with a
Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with
control over Thread Context Map (MDC) input data can craft malicious input data
that contains a recursive lookup, resulting in a
<code>StackOverflowError</code> that will terminate the process.
+This is also known as a <em>DoS (Denial-of-Service)</em> attack.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-45105-mitigation">Mitigation</h4>
+<div class="paragraph">
+<p>Upgrade to <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java
7), or <code>2.17.0</code> (for Java 8 and later).</p>
+</div>
+<div class="paragraph">
+<p>Alternatively, this infinite recursion issue can be mitigated in
configuration:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>In PatternLayout in the logging configuration, replace Context Lookups like
<code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> with Thread Context
Map patterns (<code>%X</code>, <code>%mdc</code>, or <code>%MDC</code>).</p>
+</li>
+<li>
+<p>Otherwise, in the configuration, remove references to Context Lookups like
<code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> where they originate
+from sources external to the application such as HTTP headers or user input.
+Note that this mitigation is insufficient in releases older than
<code>2.12.2</code> (for Java 7), and <code>2.16.0</code> (for Java 8 and
later) as the issues fixed in those releases will still be present.</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>Note that only the <code>log4j-core</code> JAR file is impacted by this
vulnerability.
+Applications using only the <code>log4j-api</code> JAR file without the
<code>log4j-core</code> JAR file are not impacted by this vulnerability.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-45105-credits">Credits</h4>
+<div class="paragraph">
+<p>Independently discovered by Hideki Okamoto of Akamai Technologies, Guy
Lederfein of Trend Micro Research working with Trend Micro’s Zero Day
Initiative, and another anonymous vulnerability researcher.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-45105-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105";>CVE-2021-45105</a></p>
+</li>
+<li>
+<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-3230";>LOG4J2-3230</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2021-45046"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046";>CVE-2021-45046</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Thread
Context Lookup is vulnerable to remote code execution in certain
configurations</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">9.0
CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0,
2.17.0)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2021-45046-description">Description</h4>
+<div class="paragraph">
+<p>It was found that the fix to address <a
href="#CVE-2021-44228">CVE-2021-44228</a> in Log4j <code>2.15.0</code> was
incomplete in certain non-default configurations.
+When the logging configuration uses a non-default Pattern Layout with a Thread
Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with
control over Thread Context Map (MDC) can craft malicious input data using a
JNDI Lookup pattern, resulting in an information leak and remote code execution
in some environments and local code execution in all environments.
+Remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and
Alpine Linux.</p>
+</div>
+<div class="paragraph">
+<p>Note that this vulnerability is not limited to just the JNDI lookup.
+Any other Lookup could also be included in a Thread Context Map variable and
possibly have private details exposed to anyone with access to the logs.</p>
+</div>
+<div class="paragraph">
+<p>Note that only the <code>log4j-core</code> JAR file is impacted by this
vulnerability.
+Applications using only the <code>log4j-api</code> JAR file without the
<code>log4j-core</code> JAR file are not impacted by this vulnerability.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-45046-mitigation">Mitigation</h4>
+<div class="paragraph">
+<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), or <code>2.17.0</code> (for Java 8 and later).</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-45046-credits">Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Kai Mindermann of iC Consult and separately by
4ra1n.</p>
+</div>
+<div class="paragraph">
+<p>Additional vulnerability details discovered independently by Ash Fox of
Google, Alvaro Muñoz and Tony Torralba from GitHub, Anthony Weems of
Praetorian, and RyotaK (@ryotkak).</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-45046-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046";>CVE-2021-45046</a></p>
+</li>
+<li>
+<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-3221";>LOG4J2-3221</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2021-44228"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228";>CVE-2021-44228</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">JNDI
lookup can be exploited to execute arbitrary code loaded from an LDAP
server</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">10.0
CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0,
2.17.0)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2021-44228-description">Description</h4>
+<div class="paragraph">
+<p>In Log4j, the JNDI features used in configurations, log messages, and
parameters do not protect against attacker-controlled LDAP and other JNDI
related endpoints.
+An attacker who can control log messages or log message parameters can execute
arbitrary code loaded from LDAP servers.</p>
+</div>
+<div class="paragraph">
+<p>Note that only the <code>log4j-core</code> JAR file is impacted by this
vulnerability.
+Applications using only the <code>log4j-api</code> JAR file without the
<code>log4j-core</code> JAR file are not impacted by this vulnerability.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-44228-mitigation">Mitigation</h4>
+<div class="sect4">
+<h5 id="CVE-2021-44228-mitigation-log4j1">Log4j 1 mitigation</h5>
+<div class="admonitionblock warning">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Warning</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p><a href="/log4j/1.x">Log4j 1</a> has <a
href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces";>reached
End of Life</a> in 2015, and is no longer supported.
+Vulnerabilities reported after August 2015 against Log4j 1 are not checked and
will not be fixed.
+Users should <a href="/log4j/2.x/manual/migration.html">upgrade to Log4j 2</a>
to obtain security fixes.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="paragraph">
+<p>Log4j 1 does not have Lookups, so the risk is lower.
+Applications using Log4j 1 are only vulnerable to this attack when they use
JNDI in their configuration.
+A separate CVE (<a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-4104";>CVE-2021-4104</a>) has
been filed for this vulnerability.
+To mitigate, audit your logging configuration to ensure it has no
<code>JMSAppender</code> configured.
+Log4j 1 configurations without <code>JMSAppender</code> are not impacted by
this vulnerability.</p>
+</div>
+</div>
+<div class="sect4">
+<h5 id="CVE-2021-44228-mitigation-log4j2">Log4j 2 mitigation</h5>
+<div class="paragraph">
+<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), or <code>2.17.0</code> (for Java 8 and later).</p>
+</div>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-44228-credits">Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Chen Zhaojun of Alibaba Cloud Security
Team.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2021-44228-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228";>CVE-2021-44228</a></p>
+</li>
+<li>
+<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-3198";>LOG4J2-3198</a></p>
+</li>
+<li>
+<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-3201";>LOG4J2-3201</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2020-9488"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488";>CVE-2020-9488</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Improper
validation of certificate with host mismatch in SMTP appender</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">3.7 LOW
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta1, 2.12.3) ∪ [2.13.1, 2.13.2)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.12.3</code> (Java 7) and <code>2.13.2</code> (Java 8
and later)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2020-9488-description">Description</h4>
+<div class="paragraph">
+<p>Improper validation of certificate with host mismatch in SMTP appender.
+This could allow an SMTPS connection to be intercepted by a man-in-the-middle
attack which could leak any log
+messages sent through that appender.</p>
+</div>
+<div class="paragraph">
+<p>The reported issue was caused by an error in <code>SslConfiguration</code>.
+Any element using <code>SslConfiguration</code> in the Log4j
<code>Configuration</code> is also affected by this issue.
+This includes <code>HttpAppender</code>, <code>SocketAppender</code>, and
<code>SyslogAppender</code>.
+Usages of <code>SslConfiguration</code> that are configured via system
properties are not affected.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2020-9488-mitigation">Mitigation</h4>
+<div class="paragraph">
+<p>Upgrade to <code>2.12.3</code> (Java 7) or <code>2.13.2</code> (Java 8 and
later).</p>
+</div>
+<div class="paragraph">
+<p>Alternatively, users can set the
<code>mail.smtp.ssl.checkserveridentity</code> system property to
<code>true</code> to enable SMTPS hostname verification for all SMTPS mail
sessions.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2020-9488-credits">Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Peter Stöckli.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2020-9488-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488";>CVE-2020-9488</a></p>
+</li>
+<li>
+<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-2819";>LOG4J2-2819</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2017-5645"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645";>CVE-2017-5645</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">TCP/UDP
socket servers can be exploited to execute arbitrary code</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 2.0
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">7.5 HIGH
(AV:N/AC:L/Au:N/C:P/I:P/A:P)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-alpha1, 2.8.2)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.8.2</code> (Java 7)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2017-5645-description">Description</h4>
+<div class="paragraph">
+<p>When using the TCP socket server or UDP socket server to receive serialized
log events from another application, a specially crafted binary payload can be
sent that, when deserialized, can execute arbitrary code.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2017-5645-mitigation">Mitigation</h4>
+<div class="paragraph">
+<p>Java 7 and above users should migrate to version <code>2.8.2</code> or
avoid using the socket server classes.
+Java 6 users should avoid using the TCP or UDP socket server classes, or they
can manually backport <a
href="https://github.com/apache/logging-log4j2/commit/5dcc192";>the security fix
commit</a> from <code>2.8.2</code>.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2017-5645-credits">Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Marcio Almeida de Macedo of Red Team at
Telstra.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2017-5645-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645";>CVE-2017-5645</a></p>
+</li>
+<li>
+<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-1863";>LOG4J2-1863</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4j2/commit/5dcc192";>Security
fix commit</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+</div>
+</div>
</div>
</div>
diff --git a/content/security/index.html b/content/security/index.html
deleted file mode 100644
index f954455b..00000000
--- a/content/security/index.html
+++ /dev/null
@@ -1,207 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Apache Logging Services</title>
-
- <link href="/css/asciidoctor-default.css" rel="stylesheet" type="text/css"
/>
- <link href="/css/bootstrap.min.css" rel="stylesheet" type="text/css" />
- <link href="/css/site.css?version=20231214" rel="stylesheet"
type="text/css" />
-
- <script src="/js/jquery.min.js"></script>
- <script src="/js/bootstrap.min.js"></script>
- <script src="/js/site.js"></script>
- <link rel="alternate" type="application/rss+xml" title="ASF Loggin
Services" href="/feed.xml">
-</head>
-
-
-<body>
-<div class="navbar">
- <div class="navbar-inner">
- <div class="container">
- <a class="brand" href="/">Apache Logging Services™</a>
- <ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">About<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/guidelines.html">Guidelines</a></li>
- <li><a href="/charter.html">Charter</a></li>
- <li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
- <li><a href="/processes.html">Retirement Processes</a>
- <li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
- <li><a href="/what-is-logging.html">What is
logging?</a>
- </li>
- </ul>
- </li>
- </ul>
- <ul class="nav">
- <li><a href="/download.html">Download</a></li>
- </ul>
- <ul class="nav">
- <li><a href="/blog">Blog</a></li>
- </ul>
- <ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
- </ul>
- <ul class="nav">
- <li><a href="/xml/ns">XML Schemas</a></li>
- </ul>
- <ul class="nav pull-right">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a target="_blank"
href="https://www.apache.org/";>Home</a></li>
- <li><a target="_blank"
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
- <li><a target="_blank"
href="https://www.apache.org/licenses/";>License</a></li>
- <li><a target="_blank"
href="https://www.apache.org/foundation/thanks.html";>Thanks</a></li>
- <li><a target="_blank"
href="https://www.apache.org/events/current-event.html";>Current Events</a></li>
- <li><a target="_blank"
href="https://www.apache.org/security/";>Security</a></li>
- <li><a target="_blank"
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy</a></li>
- </ul>
- </li>
- </ul>
- </div>
- </div>
-</div>
-
-
-<div class="container">
- <div class="content">
- <div class="sect1">
-<h2 id="security">Security</h2>
-<div class="sectionbody">
-<div class="paragraph">
-<p>The Apache Logging Services Security Team takes security seriously.
-This allows our users to place their trust in Log4j for protecting their
mission-critical data.
-In this page we will help you find guidance on security-related issues and
access to known vulnerabilities.</p>
-</div>
-<div class="admonitionblock warning">
-<table>
-<tr>
-<td class="icon">
-<div class="title">Warning</div>
-</td>
-<td class="content">
-<div class="paragraph">
-<p><a href="http://logging.apache.org/log4j/1.x";>Log4j 1</a> has <a
href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces";>reached
End of Life</a> in 2015, and is no longer supported.
-Vulnerabilities reported after August 2015 against Log4j 1 are not checked and
will not be fixed.
-Users should <a href="manual/migration.html">upgrade to Log4j 2</a> to obtain
security fixes.</p>
-</div>
-</td>
-</tr>
-</table>
-</div>
-</div>
-</div>
-<div class="sect1">
-<h2 id="support">Getting support</h2>
-<div class="sectionbody">
-<div class="paragraph">
-<p>If you need help on building or configuring any logging component such as
Log4j or other help on following the instructions to mitigate the known
vulnerabilities listed here, please use our <a
href="../support.html#discussions">user support channels</a>.</p>
-</div>
-<div class="admonitionblock tip">
-<table>
-<tr>
-<td class="icon">
-<div class="title">Tip</div>
-</td>
-<td class="content">
-<div class="paragraph">
-<p>If you need to apply a source code patch, use the building instructions for
the Log4j version that you are using.
-These instructions can be found in <code>BUILDING.md</code> distributed with
the sources.</p>
-</div>
-</td>
-</tr>
-</table>
-</div>
-</div>
-</div>
-<div class="sect1">
-<h2 id="reporting">Reporting vulnerabilities</h2>
-<div class="sectionbody">
-<div class="paragraph">
-<p>If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has a security impact, or if the descriptions here
are incomplete, please report them <strong>privately</strong> to <a
href="mailto:[email protected]";>the Logging Services Security
Team</a>.</p>
-</div>
-<div class="admonitionblock warning">
-<table>
-<tr>
-<td class="icon">
-<div class="title">Warning</div>
-</td>
-<td class="content">
-<div class="paragraph">
-<p>The threat model that Log4j uses considers configuration files as safe
input controlled by the programmer; <strong>potential vulnerabilities that
require the ability to modify a configuration are not considered
vulnerabilities</strong> as the required access to do so implies the attacker
can execute arbitrary code.</p>
-</div>
-</td>
-</tr>
-</table>
-</div>
-</div>
-</div>
-<div class="sect1">
-<h2 id="policy">Vulnerability handling policy</h2>
-<div class="sectionbody">
-<div class="paragraph">
-<p>The Apache Logging Services Security Team follows the <a
href="https://www.apache.org/security/committers.html";>ASF Project Security</a>
guide for handling security vulnerabilities.</p>
-</div>
-<div class="paragraph">
-<p>Reported security vulnerabilities are subject to voting (by means of <a
href="https://logging.apache.org/guidelines.html";><em>lazy approval</em></a>,
preferably) in the private <a
href="mailto:[email protected]";>security mailing list</a> before
creating a CVE and populating its associated content.
-This procedure involves only the creation of CVEs and blocks neither
(vulnerability) fixes, nor releases.</p>
-</div>
-</div>
-</div>
-<div class="sect1">
-<h2 id="vdr">Vulnerability Disclosure Report (VDR)</h2>
-<div class="sectionbody">
-<div class="paragraph">
-<p>Starting with version <code>2.22.0</code>, Log4j distributes <a
href="https://cyclonedx.org/capabilities/vdr";>CycloneDX Software Bill of
Materials (SBOM)</a> along with each deployed artifact.
-Produced SBOMs contain BOM-links referring to a <a
href="https://cyclonedx.org/capabilities/vdr";>CycloneDX Vulnerability
Disclosure Report (VDR)</a> that Apache Logging Services uses for all projects
it maintains.
-All this is streamlined by <code>logging-parent</code>, see <a
href="https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom";>its
website</a> for details.</p>
-</div>
-</div>
-</div>
- </div>
-</div>
-
-
-<div class="footer">
- <div class="container">
- <p>
- Copyright © 2017-2024 <a href="https://www.apache.org";
target="external">The Apache Software Foundation</a>.
- Licensed under the <a
href="https://www.apache.org/licenses/LICENSE-2.0";
- target="external">Apache Software License, Version 2.0</a> Please
read our <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>privacy
policy</a>.
- </p><p>
- Apache, Chainsaw, log4cxx, Log4j, Log4net, log4php and the Apache
- feather logo are trademarks or registered trademarks of The Apache
- Software Foundation.
- Oracle and Java are registered trademarks
- of Oracle and/or its affiliates. Other names may be trademarks of
their respective owners.
- </p>
- </div>
-</div>
-<!-- Matomo -->
-<script>
- var _paq = window._paq = window._paq || [];
- _paq.push(["disableCookies"]);
- _paq.push(['trackPageView']);
- _paq.push(['enableLinkTracking']);
- (function() {
- var u="https://analytics.apache.org/";;
- _paq.push(['setTrackerUrl', u+'matomo.php']);
- _paq.push(['setSiteId', '42']);
- var d=document, g=d.createElement('script'),
s=d.getElementsByTagName('script')[0];
- g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
- })();
-</script>
-<noscript><p><img
src="https://analytics.apache.org/matomo.php?idsite=42&rec=1";
style="border:0;" alt="" /></p></noscript>
-<!-- End Matomo Code -->
-</body>
-</html>
diff --git a/content/security/known-vulnerabilities.html
b/content/security/known-vulnerabilities.html
deleted file mode 100644
index 9532d079..00000000
--- a/content/security/known-vulnerabilities.html
+++ /dev/null
@@ -1,591 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Apache Logging Services</title>
-
- <link href="/css/asciidoctor-default.css" rel="stylesheet" type="text/css"
/>
- <link href="/css/bootstrap.min.css" rel="stylesheet" type="text/css" />
- <link href="/css/site.css?version=20231214" rel="stylesheet"
type="text/css" />
-
- <script src="/js/jquery.min.js"></script>
- <script src="/js/bootstrap.min.js"></script>
- <script src="/js/site.js"></script>
- <link rel="alternate" type="application/rss+xml" title="ASF Loggin
Services" href="/feed.xml">
-</head>
-
-
-<body>
-<div class="navbar">
- <div class="navbar-inner">
- <div class="container">
- <a class="brand" href="/">Apache Logging Services™</a>
- <ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">About<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/guidelines.html">Guidelines</a></li>
- <li><a href="/charter.html">Charter</a></li>
- <li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
- <li><a href="/processes.html">Retirement Processes</a>
- <li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
- <li><a href="/what-is-logging.html">What is
logging?</a>
- </li>
- </ul>
- </li>
- </ul>
- <ul class="nav">
- <li><a href="/download.html">Download</a></li>
- </ul>
- <ul class="nav">
- <li><a href="/blog">Blog</a></li>
- </ul>
- <ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
- </ul>
- <ul class="nav">
- <li><a href="/xml/ns">XML Schemas</a></li>
- </ul>
- <ul class="nav pull-right">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Apache<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a target="_blank"
href="https://www.apache.org/";>Home</a></li>
- <li><a target="_blank"
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
- <li><a target="_blank"
href="https://www.apache.org/licenses/";>License</a></li>
- <li><a target="_blank"
href="https://www.apache.org/foundation/thanks.html";>Thanks</a></li>
- <li><a target="_blank"
href="https://www.apache.org/events/current-event.html";>Current Events</a></li>
- <li><a target="_blank"
href="https://www.apache.org/security/";>Security</a></li>
- <li><a target="_blank"
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy</a></li>
- </ul>
- </li>
- </ul>
- </div>
- </div>
-</div>
-
-
-<div class="container">
- <div class="content">
- <div class="sect1">
-<h2 id="vulnerabilities">Known vulnerabilities</h2>
-<div class="sectionbody">
-<div class="paragraph">
-<p>The Logging Services Security Team believes that accuracy, completeness and
availability of security information is essential for our users.
-We choose to pool all information on this one page, allowing easy searching
for security vulnerabilities over a range of criteria.</p>
-</div>
-<div class="admonitionblock note">
-<table>
-<tr>
-<td class="icon">
-<div class="title">Note</div>
-</td>
-<td class="content">
-<div class="paragraph">
-<p>We adhere to <a
href="https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html";>the
Maven version range syntax</a> while sharing versions of affected components.
-We only extend this mathematical notation with set union operator (i.e.,
<code>∪</code>) to denote union of multiple ranges.</p>
-</div>
-</td>
-</tr>
-</table>
-</div>
-<div class="sect2">
-<h3 id="CVE-2021-44832"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832";>CVE-2021-44832</a></h3>
-<table class="tableblock frame-all grid-all stretch">
-<colgroup>
-<col style="width: 16.6666%;">
-<col style="width: 83.3334%;">
-</colgroup>
-<tbody>
-<tr>
-<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
-<td class="tableblock halign-left valign-top"><p class="tableblock">JDBC
appender is vulnerable to remote code execution in certain
configurations</p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
-<td class="tableblock halign-left valign-top"><p class="tableblock">6.6 MEDIUM
(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta7, 2.3.2) ∪ [2.4, 2.12.4) ∪ [2.13.0,
2.17.1)</code></p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for
Java 7), or <code>2.17.1</code> (for Java 8 and later)</p></td>
-</tr>
-</tbody>
-</table>
-<div class="sect3">
-<h4 id="CVE-2021-44832-description">Description</h4>
-<div class="paragraph">
-<p>An attacker with write access to the logging configuration can construct a
malicious configuration using a JDBC Appender with a data source referencing a
JNDI URI which can execute remote code.
-This issue is fixed by limiting JNDI data source names to the
<code>java</code> protocol.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2021-44832-mitigation">Mitigation</h4>
-<div class="paragraph">
-<p>Upgrade to <code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for Java
7), or <code>2.17.1</code> (for Java 8 and later).</p>
-</div>
-<div class="paragraph">
-<p>In prior releases confirm that if the JDBC Appender is being used it is not
configured to use any protocol other than <code>java</code>.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2021-44832-references">References</h4>
-<div class="ulist">
-<ul>
-<li>
-<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832";>CVE-2021-44832</a></p>
-</li>
-</ul>
-</div>
-</div>
-</div>
-<div class="sect2">
-<h3 id="CVE-2021-45105"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105";>CVE-2021-45105</a></h3>
-<table class="tableblock frame-all grid-all stretch">
-<colgroup>
-<col style="width: 16.6666%;">
-<col style="width: 83.3334%;">
-</colgroup>
-<tbody>
-<tr>
-<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
-<td class="tableblock halign-left valign-top"><p class="tableblock">Infinite
recursion in lookup evaluation</p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
-<td class="tableblock halign-left valign-top"><p class="tableblock">5.9 MEDIUM
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)</p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-alpha1, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0,
2.17.0)</code></p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
-</tr>
-</tbody>
-</table>
-<div class="sect3">
-<h4 id="CVE-2021-45105-description">Description</h4>
-<div class="paragraph">
-<p>Log4j versions <code>2.0-alpha1</code> through <code>2.16.0</code>
(excluding <code>2.3.1</code> and <code>2.12.3</code>), did not protect from
uncontrolled recursion that can be implemented using self-referential lookups.
-When the logging configuration uses a non-default Pattern Layout with a
Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with
control over Thread Context Map (MDC) input data can craft malicious input data
that contains a recursive lookup, resulting in a
<code>StackOverflowError</code> that will terminate the process.
-This is also known as a <em>DoS (Denial-of-Service)</em> attack.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2021-45105-mitigation">Mitigation</h4>
-<div class="paragraph">
-<p>Upgrade to <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java
7), or <code>2.17.0</code> (for Java 8 and later).</p>
-</div>
-<div class="paragraph">
-<p>Alternatively, this infinite recursion issue can be mitigated in
configuration:</p>
-</div>
-<div class="ulist">
-<ul>
-<li>
-<p>In PatternLayout in the logging configuration, replace Context Lookups like
<code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> with Thread Context
Map patterns (<code>%X</code>, <code>%mdc</code>, or <code>%MDC</code>).</p>
-</li>
-<li>
-<p>Otherwise, in the configuration, remove references to Context Lookups like
<code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> where they originate
-from sources external to the application such as HTTP headers or user input.
-Note that this mitigation is insufficient in releases older than
<code>2.12.2</code> (for Java 7), and <code>2.16.0</code> (for Java 8 and
later) as the issues fixed in those releases will still be present.</p>
-</li>
-</ul>
-</div>
-<div class="paragraph">
-<p>Note that only the <code>log4j-core</code> JAR file is impacted by this
vulnerability.
-Applications using only the <code>log4j-api</code> JAR file without the
<code>log4j-core</code> JAR file are not impacted by this vulnerability.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2021-45105-credits">Credits</h4>
-<div class="paragraph">
-<p>Independently discovered by Hideki Okamoto of Akamai Technologies, Guy
Lederfein of Trend Micro Research working with Trend Micro’s Zero Day
Initiative, and another anonymous vulnerability researcher.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2021-45105-references">References</h4>
-<div class="ulist">
-<ul>
-<li>
-<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105";>CVE-2021-45105</a></p>
-</li>
-<li>
-<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-3230";>LOG4J2-3230</a></p>
-</li>
-</ul>
-</div>
-</div>
-</div>
-<div class="sect2">
-<h3 id="CVE-2021-45046"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046";>CVE-2021-45046</a></h3>
-<table class="tableblock frame-all grid-all stretch">
-<colgroup>
-<col style="width: 16.6666%;">
-<col style="width: 83.3334%;">
-</colgroup>
-<tbody>
-<tr>
-<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
-<td class="tableblock halign-left valign-top"><p class="tableblock">Thread
Context Lookup is vulnerable to remote code execution in certain
configurations</p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
-<td class="tableblock halign-left valign-top"><p class="tableblock">9.0
CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0,
2.17.0)</code></p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
-</tr>
-</tbody>
-</table>
-<div class="sect3">
-<h4 id="CVE-2021-45046-description">Description</h4>
-<div class="paragraph">
-<p>It was found that the fix to address <a
href="#CVE-2021-44228">CVE-2021-44228</a> in Log4j <code>2.15.0</code> was
incomplete in certain non-default configurations.
-When the logging configuration uses a non-default Pattern Layout with a Thread
Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with
control over Thread Context Map (MDC) can craft malicious input data using a
JNDI Lookup pattern, resulting in an information leak and remote code execution
in some environments and local code execution in all environments.
-Remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and
Alpine Linux.</p>
-</div>
-<div class="paragraph">
-<p>Note that this vulnerability is not limited to just the JNDI lookup.
-Any other Lookup could also be included in a Thread Context Map variable and
possibly have private details exposed to anyone with access to the logs.</p>
-</div>
-<div class="paragraph">
-<p>Note that only the <code>log4j-core</code> JAR file is impacted by this
vulnerability.
-Applications using only the <code>log4j-api</code> JAR file without the
<code>log4j-core</code> JAR file are not impacted by this vulnerability.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2021-45046-mitigation">Mitigation</h4>
-<div class="paragraph">
-<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), or <code>2.17.0</code> (for Java 8 and later).</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2021-45046-credits">Credits</h4>
-<div class="paragraph">
-<p>This issue was discovered by Kai Mindermann of iC Consult and separately by
4ra1n.</p>
-</div>
-<div class="paragraph">
-<p>Additional vulnerability details discovered independently by Ash Fox of
Google, Alvaro Muñoz and Tony Torralba from GitHub, Anthony Weems of
Praetorian, and RyotaK (@ryotkak).</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2021-45046-references">References</h4>
-<div class="ulist">
-<ul>
-<li>
-<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046";>CVE-2021-45046</a></p>
-</li>
-<li>
-<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-3221";>LOG4J2-3221</a></p>
-</li>
-</ul>
-</div>
-</div>
-</div>
-<div class="sect2">
-<h3 id="CVE-2021-44228"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228";>CVE-2021-44228</a></h3>
-<table class="tableblock frame-all grid-all stretch">
-<colgroup>
-<col style="width: 16.6666%;">
-<col style="width: 83.3334%;">
-</colgroup>
-<tbody>
-<tr>
-<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
-<td class="tableblock halign-left valign-top"><p class="tableblock">JNDI
lookup can be exploited to execute arbitrary code loaded from an LDAP
server</p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
-<td class="tableblock halign-left valign-top"><p class="tableblock">10.0
CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0,
2.17.0)</code></p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
-</tr>
-</tbody>
-</table>
-<div class="sect3">
-<h4 id="CVE-2021-44228-description">Description</h4>
-<div class="paragraph">
-<p>In Log4j, the JNDI features used in configurations, log messages, and
parameters do not protect against attacker-controlled LDAP and other JNDI
related endpoints.
-An attacker who can control log messages or log message parameters can execute
arbitrary code loaded from LDAP servers.</p>
-</div>
-<div class="paragraph">
-<p>Note that only the <code>log4j-core</code> JAR file is impacted by this
vulnerability.
-Applications using only the <code>log4j-api</code> JAR file without the
<code>log4j-core</code> JAR file are not impacted by this vulnerability.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2021-44228-mitigation">Mitigation</h4>
-<div class="sect4">
-<h5 id="CVE-2021-44228-mitigation-log4j1">Log4j 1 mitigation</h5>
-<div class="admonitionblock warning">
-<table>
-<tr>
-<td class="icon">
-<div class="title">Warning</div>
-</td>
-<td class="content">
-<div class="paragraph">
-<p><a href="http://logging.apache.org/log4j/1.x";>Log4j 1</a> has <a
href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces";>reached
End of Life</a> in 2015, and is no longer supported.
-Vulnerabilities reported after August 2015 against Log4j 1 are not checked and
will not be fixed.
-Users should <a href="manual/migration.html">upgrade to Log4j 2</a> to obtain
security fixes.</p>
-</div>
-</td>
-</tr>
-</table>
-</div>
-<div class="paragraph">
-<p>Log4j 1 does not have Lookups, so the risk is lower.
-Applications using Log4j 1 are only vulnerable to this attack when they use
JNDI in their configuration.
-A separate CVE (<a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-4104";>CVE-2021-4104</a>) has
been filed for this vulnerability.
-To mitigate, audit your logging configuration to ensure it has no
<code>JMSAppender</code> configured.
-Log4j 1 configurations without <code>JMSAppender</code> are not impacted by
this vulnerability.</p>
-</div>
-</div>
-<div class="sect4">
-<h5 id="CVE-2021-44228-mitigation-log4j2">Log4j 2 mitigation</h5>
-<div class="paragraph">
-<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for
Java 7), or <code>2.17.0</code> (for Java 8 and later).</p>
-</div>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2021-44228-credits">Credits</h4>
-<div class="paragraph">
-<p>This issue was discovered by Chen Zhaojun of Alibaba Cloud Security
Team.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2021-44228-references">References</h4>
-<div class="ulist">
-<ul>
-<li>
-<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228";>CVE-2021-44228</a></p>
-</li>
-<li>
-<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-3198";>LOG4J2-3198</a></p>
-</li>
-<li>
-<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-3201";>LOG4J2-3201</a></p>
-</li>
-</ul>
-</div>
-</div>
-</div>
-<div class="sect2">
-<h3 id="CVE-2020-9488"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488";>CVE-2020-9488</a></h3>
-<table class="tableblock frame-all grid-all stretch">
-<colgroup>
-<col style="width: 16.6666%;">
-<col style="width: 83.3334%;">
-</colgroup>
-<tbody>
-<tr>
-<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
-<td class="tableblock halign-left valign-top"><p class="tableblock">Improper
validation of certificate with host mismatch in SMTP appender</p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x
Score & Vector</p></th>
-<td class="tableblock halign-left valign-top"><p class="tableblock">3.7 LOW
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)</p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta1, 2.12.3) ∪ [2.13.1, 2.13.2)</code></p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.12.3</code> (Java 7) and <code>2.13.2</code> (Java 8
and later)</p></td>
-</tr>
-</tbody>
-</table>
-<div class="sect3">
-<h4 id="CVE-2020-9488-description">Description</h4>
-<div class="paragraph">
-<p>Improper validation of certificate with host mismatch in SMTP appender.
-This could allow an SMTPS connection to be intercepted by a man-in-the-middle
attack which could leak any log
-messages sent through that appender.</p>
-</div>
-<div class="paragraph">
-<p>The reported issue was caused by an error in <code>SslConfiguration</code>.
-Any element using <code>SslConfiguration</code> in the Log4j
<code>Configuration</code> is also affected by this issue.
-This includes <code>HttpAppender</code>, <code>SocketAppender</code>, and
<code>SyslogAppender</code>.
-Usages of <code>SslConfiguration</code> that are configured via system
properties are not affected.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2020-9488-mitigation">Mitigation</h4>
-<div class="paragraph">
-<p>Upgrade to <code>2.12.3</code> (Java 7) or <code>2.13.2</code> (Java 8 and
later).</p>
-</div>
-<div class="paragraph">
-<p>Alternatively, users can set the
<code>mail.smtp.ssl.checkserveridentity</code> system property to
<code>true</code> to enable SMTPS hostname verification for all SMTPS mail
sessions.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2020-9488-credits">Credits</h4>
-<div class="paragraph">
-<p>This issue was discovered by Peter Stöckli.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2020-9488-references">References</h4>
-<div class="ulist">
-<ul>
-<li>
-<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488";>CVE-2020-9488</a></p>
-</li>
-<li>
-<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-2819";>LOG4J2-2819</a></p>
-</li>
-</ul>
-</div>
-</div>
-</div>
-<div class="sect2">
-<h3 id="CVE-2017-5645"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645";>CVE-2017-5645</a></h3>
-<table class="tableblock frame-all grid-all stretch">
-<colgroup>
-<col style="width: 16.6666%;">
-<col style="width: 83.3334%;">
-</colgroup>
-<tbody>
-<tr>
-<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
-<td class="tableblock halign-left valign-top"><p class="tableblock">TCP/UDP
socket servers can be exploited to execute arbitrary code</p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 2.0
Score & Vector</p></th>
-<td class="tableblock halign-left valign-top"><p class="tableblock">7.5 HIGH
(AV:N/AC:L/Au:N/C:P/I:P/A:P)</p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-core</code></p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-alpha1, 2.8.2)</code></p></td>
-</tr>
-<tr>
-<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.8.2</code> (Java 7)</p></td>
-</tr>
-</tbody>
-</table>
-<div class="sect3">
-<h4 id="CVE-2017-5645-description">Description</h4>
-<div class="paragraph">
-<p>When using the TCP socket server or UDP socket server to receive serialized
log events from another application, a specially crafted binary payload can be
sent that, when deserialized, can execute arbitrary code.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2017-5645-mitigation">Mitigation</h4>
-<div class="paragraph">
-<p>Java 7 and above users should migrate to version <code>2.8.2</code> or
avoid using the socket server classes.
-Java 6 users should avoid using the TCP or UDP socket server classes, or they
can manually backport <a
href="https://github.com/apache/logging-log4j2/commit/5dcc192";>the security fix
commit</a> from <code>2.8.2</code>.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2017-5645-credits">Credits</h4>
-<div class="paragraph">
-<p>This issue was discovered by Marcio Almeida de Macedo of Red Team at
Telstra.</p>
-</div>
-</div>
-<div class="sect3">
-<h4 id="CVE-2017-5645-references">References</h4>
-<div class="ulist">
-<ul>
-<li>
-<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645";>CVE-2017-5645</a></p>
-</li>
-<li>
-<p><a
href="https://issues.apache.org/jira/browse/LOG4J2-1863";>LOG4J2-1863</a></p>
-</li>
-<li>
-<p><a href="https://github.com/apache/logging-log4j2/commit/5dcc192";>Security
fix commit</a></p>
-</li>
-</ul>
-</div>
-</div>
-</div>
-</div>
-</div>
- </div>
-</div>
-
-
-<div class="footer">
- <div class="container">
- <p>
- Copyright © 2017-2024 <a href="https://www.apache.org";
target="external">The Apache Software Foundation</a>.
- Licensed under the <a
href="https://www.apache.org/licenses/LICENSE-2.0";
- target="external">Apache Software License, Version 2.0</a> Please
read our <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>privacy
policy</a>.
- </p><p>
- Apache, Chainsaw, log4cxx, Log4j, Log4net, log4php and the Apache
- feather logo are trademarks or registered trademarks of The Apache
- Software Foundation.
- Oracle and Java are registered trademarks
- of Oracle and/or its affiliates. Other names may be trademarks of
their respective owners.
- </p>
- </div>
-</div>
-<!-- Matomo -->
-<script>
- var _paq = window._paq = window._paq || [];
- _paq.push(["disableCookies"]);
- _paq.push(['trackPageView']);
- _paq.push(['enableLinkTracking']);
- (function() {
- var u="https://analytics.apache.org/";;
- _paq.push(['setTrackerUrl', u+'matomo.php']);
- _paq.push(['setSiteId', '42']);
- var d=document, g=d.createElement('script'),
s=d.getElementsByTagName('script')[0];
- g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
- })();
-</script>
-<noscript><p><img
src="https://analytics.apache.org/matomo.php?idsite=42&rec=1";
style="border:0;" alt="" /></p></noscript>
-<!-- End Matomo Code -->
-</body>
-</html>
diff --git a/content/support.html b/content/support.html
index e6974a01..b2655471 100644
--- a/content/support.html
+++ b/content/support.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
@@ -78,9 +73,23 @@
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
+<p>Logging Services employ many public and private support channels for users,
contributors, and maintainers.</p>
+</div>
+<div class="admonitionblock important">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Important</div>
+</td>
+<td class="content">
+<div class="paragraph">
<p>The Apache Software Foundation does not employ individuals to develop and
support any of its projects.
The individuals who contribute to Apache projects do it either as part of
specific tasks assigned to them by their employer, on their own initiative to
benefit their employer, or on their own free time.</p>
</div>
+</td>
+</tr>
+</table>
+</div>
</div>
</div>
<div class="sect1">
@@ -103,19 +112,16 @@ The individuals who contribute to Apache projects do it
either as part of specif
</ul>
</div>
<div class="paragraph">
-<p>We urge you to first check our <a href="faq.html">FAQ</a> to see if it has
already been answered.
-If not, you can ask your questions on one of our official user support
channels:</p>
+<p>We urge you to first check the website of the associated project to see if
your question has already been answered there.
+If not, you can use one the following communication channels:</p>
</div>
<div class="ulist">
<ul>
<li>
-<p><a href="https://github.com/apache/logging-log4j2/discussions";>GitHub
Discussions</a> (<strong>experimental</strong>)</p>
+<p>GitHub Discussions (<a
href="https://github.com/apache/logging-log4cxx/discussions";>Log4cxx</a>, <a
href="https://github.com/apache/logging-log4j2/discussions";>Log4j</a>, <a
href="https://github.com/apache/logging-log4net/discussions";>Log4net</a>)</p>
</li>
<li>
-<p><code>[email protected]</code> mailing list (public | <a
href="mailto:[email protected]";>subscribe</a> | <a
href="mailto:[email protected]";>unsubscribe</a> | <a
href="mailto:[email protected]";>post</a> | <a
href="https://lists.apache.org/list.html?log4j-user@logging.apache.org";>archive</a>)</p>
-</li>
-</ul>
-</div>
+<p><code>[email protected]</code> mailing list (<a
href="mailto:[email protected]";>subscribe</a> | <a
href="mailto:[email protected]";>unsubscribe</a> | <a
href="mailto:[email protected]";>post</a> | <a
href="https://lists.apache.org/list.html?log4j-user@logging.apache.org";>archive</a>)</p>
<div class="admonitionblock warning">
<table>
<tr>
@@ -148,10 +154,9 @@ For more information, please see the <a
href="https://privacy.apache.org/policie
</tr>
</table>
</div>
-<div class="ulist">
-<ul>
+</li>
<li>
-<p><a href="http://stackoverflow.com";>Stack Overflow</a> (use <a
href="http://stackoverflow.com/questions/tagged/log4j";>log4j</a> or <a
href="http://stackoverflow.com/questions/tagged/log4j2";>log4j2</a> tags)</p>
+<p>Stack Overflow (<a
href="http://stackoverflow.com/questions/tagged/log4cxx";>Log4cxx</a>, <a
href="http://stackoverflow.com/questions/tagged/log4j";>Log4j</a>, <a
href="http://stackoverflow.com/questions/tagged/log4j";>Log4net</a>)</p>
</li>
</ul>
</div>
@@ -161,50 +166,45 @@ For more information, please see the <a
href="https://privacy.apache.org/policie
<h2 id="maintainer-discussions">Maintainer discussions</h2>
<div class="sectionbody">
<div class="paragraph">
-<p>Apache Log4j project officially uses mailing lists for discussions related
to maintenance and development.</p>
-</div>
-<div class="admonitionblock warning">
-<table>
-<tr>
-<td class="icon">
-<div class="title">Warning</div>
-</td>
-<td class="content">
-<div class="paragraph">
-<p><strong>You are expected to be subscribed</strong> to a mailing list to
receive replies to your posted questions!
-If you are not subscribed, when you post an email, it will be subject to
moderation (hence, will be distributed with a delay) and the only way you would
be able to follow the conversation is to use the mailing list archive.</p>
-</div>
-</td>
-</tr>
-</table>
-</div>
-<div class="paragraph">
<p>If you have questions or feedback like:</p>
</div>
<div class="ulist">
<ul>
<li>
-<p>A class should have public visibility instead of package-scoped</p>
+<p>A class should be public instead of package-private</p>
</li>
<li>
<p>A plugin is missing configuration options</p>
</li>
<li>
-<p>You found a bug</p>
+<p>You’ve found a bug</p>
</li>
</ul>
</div>
<div class="paragraph">
-<p>then please contact us using the following mailing lists:</p>
+<p>then please contact us using the following channels:</p>
</div>
-<div class="dlist">
-<dl>
-<dt class="hdlist1"><code>[email protected]</code> (public | <a
href="mailto:[email protected]";>subscribe</a> | <a
href="mailto:[email protected]";>unsubscribe</a> | <a
href="mailto:[email protected]";>post</a> | <a
href="https://lists.apache.org/list.html?dev@logging.apache.org";>archive</a>)</dt>
-<dd>
-<p>For <em>development</em> discussions
-(Please prefix subjects with <code>[log4j]</code> when starting a new
thread!)</p>
-</dd>
-</dl>
+<div class="ulist">
+<ul>
+<li>
+<p>GitHub Discussions (<a
href="https://github.com/apache/logging-log4cxx/discussions";>Log4cxx</a>, <a
href="https://github.com/apache/logging-log4j2/discussions";>Log4j</a>, <a
href="https://github.com/apache/logging-log4net/discussions";>Log4net</a>)</p>
+</li>
+<li>
+<p><code>[email protected]</code> mailing list (<a
href="mailto:[email protected]";>subscribe</a> | <a
href="mailto:[email protected]";>unsubscribe</a> | <a
href="mailto:[email protected]";>post</a> | <a
href="https://lists.apache.org/list.html?dev@logging.apache.org";>archive</a>)</p>
+<div class="admonitionblock warning">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Warning</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p><strong>You are expected to be subscribed</strong> to a mailing list to
receive replies to your posted questions!
+If you are not subscribed, when you post an email, it will be subject to
moderation (hence, will be distributed with a delay) and the only way you would
be able to follow the conversation is to use the mailing list archive.</p>
+</div>
+</td>
+</tr>
+</table>
</div>
<div class="admonitionblock warning">
<table>
@@ -223,17 +223,28 @@ For more information, please see the <a
href="https://privacy.apache.org/policie
</tr>
</table>
</div>
-<div class="dlist">
-<dl>
-<dt class="hdlist1"><code>[email protected]</code> (private | <a
href="mailto:[email protected]";>post</a>)</dt>
-<dd>
-<p>For reporting unlisted <strong>security vulnerabilities</strong> or other
unexpected behaviour that has a security impact</p>
-</dd>
-<dt class="hdlist1"><code>[email protected]</code> (private | <a
href="mailto:[email protected]";>post</a>)</dt>
-<dd>
-<p>For the discussion of confidential topics within the Apache Logging
Services project management committee.</p>
-</dd>
-</dl>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="private">Private discussions</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>Users are strongly advised to use one of the above public channels.
+If it deems necessary, use following channels for private discussions.</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><code>[email protected]</code> mailing list (<a
href="mailto:[email protected]";>post</a>) is used for reporting
unlisted <strong>security vulnerabilities</strong> or other unexpected
behaviour that has a security impact.
+Make sure to check <a href="security.html">the Security page</a> before
sending an email.</p>
+</li>
+<li>
+<p><code>[email protected]</code> mailing list (<a
href="mailto:[email protected]";>post</a>) is used for discussing other
confidential topics with the Logging Services PMC.</p>
+</li>
+</ul>
</div>
</div>
</div>
@@ -241,8 +252,8 @@ For more information, please see the <a
href="https://privacy.apache.org/policie
<h2 id="issues">Issues</h2>
<div class="sectionbody">
<div class="paragraph">
-<p>The Log4j project uses <a
href="https://github.com/apache/logging-log4j2/issues";>GitHub Issues</a> as its
issue tracking system.
-The old issue tracking system, <a
href="https://issues.apache.org/jira/projects/LOG4J2";>JIRA</a>, is still
accessible, though only recommended for issues that were already created
there.</p>
+<p>Logging Services projects use GitHub Issues (<a
href="https://github.com/apache/logging-log4cxx/issues";>Log4cxx</a>, <a
href="https://github.com/apache/logging-log4j2/issues";>Log4j</a>, <a
href="https://github.com/apache/logging-log4j2/issues";>Log4net</a>) as their
issue tracking system.
+The old issue tracking system, JIRA (<a
href="https://issues.apache.org/jira/projects/LOGCXX";>Log4cxx</a>, <a
href="https://issues.apache.org/jira/projects/LOG4J2";>Log4j</a>), is still
accessible, though only recommended for issues that were already created
there.</p>
</div>
<div class="paragraph">
<p>Issues get resolved in one of the following ways:</p>
@@ -250,7 +261,7 @@ The old issue tracking system, <a
href="https://issues.apache.org/jira/projects/
<div class="olist arabic">
<ol class="arabic">
<li>
-<p>The reporter or another interested party provides <a
href="https://github.com/apache/logging-log4j2/pulls";>a pull request</a>
tagging the issue in its title</p>
+<p>The reporter or another interested party provides a pull request tagging
the issue in its title</p>
</li>
<li>
<p>A committer is interested in the issue and decides to work on it</p>
@@ -320,17 +331,30 @@ In either case, while the Apache Logging Services project
thanks you for your su
<h2 id="commercial">Third-party commercial support</h2>
<div class="sectionbody">
<div class="paragraph">
-<p>While neither the Apache Software Foundation nor the Apache Logging
Services project provide any commercial support for the Log4j products,
individual committers may collaborate with services that provide such
support.</p>
+<p>While neither the Apache Software Foundation nor the Apache Logging
Services project provide any commercial support for the Logging Services
products, individual committers may collaborate with services that provide such
support.</p>
</div>
<div class="paragraph">
-<p>The following aims to be a list of all commercial support services
involving one or more Log4j committers.</p>
-</div>
-<div class="sect2">
-<h3 id="tidelift">Tidelift</h3>
-<div class="paragraph">
-<p>Some Log4j maintainers receive funding from Tidelift for their maintenance
efforts.
-See <a href="https://tidelift.com";>the Tidelift website</a> for details.</p>
+<p>The following aims to be a list of all commercial support services
involving one or more <a href="team-list.html">Logging Services PMC
members</a>.</p>
</div>
+<div class="dlist">
+<dl>
+<dt class="hdlist1"><a href="https://volkan.yazi.ci";>Abstract Dynamics</a></dt>
+<dd>
+<p>Consultancy services offered by PMC member <a
href="https://www.linkedin.com/in/yazicivo";>Volkan Yazıcı</a></p>
+</dd>
+<dt class="hdlist1"><a href="https://copernik.eu";>Copernik</a></dt>
+<dd>
+<p>Consultancy services offered by PMC member <a
href="https://www.linkedin.com/in/ppkarwasz";>Piotr Karwasz</a></p>
+</dd>
+<dt class="hdlist1"><a href="https://grobmeier.solutions";>Grobmeier
Solutions</a></dt>
+<dd>
+<p>Consultancy services offered by PMC member <a
href="https://www.linkedin.com/in/grobmeier/";>Christian Grobmeier</a></p>
+</dd>
+<dt class="hdlist1"><a href="https://tidelift.com";>Tidelift</a></dt>
+<dd>
+<p>Some Log4j maintainers receive funding from Tidelift for their maintenance
efforts.</p>
+</dd>
+</dl>
</div>
</div>
</div>
diff --git a/content/team-list.html b/content/team-list.html
index ff3a0463..2ba16930 100644
--- a/content/team-list.html
+++ b/content/team-list.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/what-is-logging.html b/content/what-is-logging.html
index bc50fac8..04bfe269 100644
--- a/content/what-is-logging.html
+++ b/content/what-is-logging.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
diff --git a/content/xml/ns/index.html b/content/xml/ns/index.html
index abd7fd2f..963fb476 100644
--- a/content/xml/ns/index.html
+++ b/content/xml/ns/index.html
@@ -27,7 +27,6 @@
<li><a href="/guidelines.html">Guidelines</a></li>
<li><a href="/charter.html">Charter</a></li>
<li><a href="/team-list.html">Team</a></li>
- <li><a href="/support.html">Support & Help</a></li>
<li><a href="/processes.html">Retirement Processes</a>
<li><a target="_blank"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
<li><a href="/what-is-logging.html">What is
logging?</a>
@@ -39,17 +38,10 @@
<li><a href="/download.html">Download</a></li>
</ul>
<ul class="nav">
- <li><a href="/blog">Blog</a></li>
+ <li><a href="/support.html">Support</a></li>
</ul>
<ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle"
data-toggle="dropdown">Security<b class="caret"></b></a>
- <ul class="dropdown-menu">
- <li><a href="/security/">Handling Security</a></li>
- <li><a
href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li>
- <li><a href="/activity-monitor/">Activity
Monitor</a></li>
- </ul>
- </li>
+ <li><a href="/security.html">Security</a></li>
</ul>
<ul class="nav">
<li><a href="/xml/ns">XML Schemas</a></li>
@@ -68,6 +60,9 @@
</ul>
</li>
</ul>
+ <ul class="nav pull-right">
+ <li><a href="/blog">Blog</a></li>
+ </ul>
</div>
</div>
</div>
