This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch doc/vulnerabilities in repository https://gitbox.apache.org/repos/asf/logging-site.git
commit c61a7bca7e17572aafb2df23d3a081823b1642ab Author: Piotr P. Karwasz <[email protected]> AuthorDate: Mon Jan 27 11:11:13 2025 +0100 Proofread CVE fix versions for `2.12.x` branch For the `2.12.x` branch: **CVE-2020-9488** (host name validation) was fixed in `2.12.3`: - 2bcba12b185200b7f3f2532cbfeff1e1da0d5c81 - bb94ea9fa921a61f90b6a934600567e719419ddd **CVE-2021-44228** (Log4Shell) was fixed in `2.12.2`: - 70edc233343815d5efa043b54294a6fb065aa1c5 - f819c83804152cb6ed94cb408302e36b21b65053 **CVE-2021-45046** (Log4Shell through recursive lookup evaluation) was fixed in `2.12.3`: - bf8ba18f63ab9f9ffd54387c5c527ecc7a681037 **CVE-2021-45105** (DoS through recursive lookup evaluation) was fixed in `2.12.3`: - bf7e916df6335713fe2219c7b3b523fb509deabc **CVE-2021-44832** (RCE if you have access to configuration) was fixed in `2.12.3`: - bf8ba18f63ab9f9ffd54387c5c527ecc7a681037 **Note**: Unless I am mistaken, version `2.12.4` didn't contain any security updates. --- _vulnerabilities.adoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/_vulnerabilities.adoc b/_vulnerabilities.adoc index 2c14e3ec..906b3821 100644 --- a/_vulnerabilities.adoc +++ b/_vulnerabilities.adoc @@ -32,8 +32,8 @@ We only extend this mathematical notation with set union operator (i.e., `∪`) |Summary |JDBC appender is vulnerable to remote code execution in certain configurations |CVSS 3.x Score & Vector |6.6 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) |Components affected |`log4j-core` -|Versions affected |`[2.0-beta7, 2.3.1) ∪ [2.4, 2.12.4) ∪ [2.13.0, 2.17.1)` -|Versions fixed |`2.3.1` (for Java 6), `2.12.4` (for Java 7), or `2.17.1` (for Java 8 and later) +|Versions affected |`[2.0-beta7, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.1)` +|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.1` (for Java 8 and later) |=== [#CVE-2021-44832-description] @@ -45,7 +45,7 @@ This issue is fixed by limiting JNDI data source names to the `java` protocol. [#CVE-2021-44832-mitigation] ==== Mitigation -Upgrade to `2.3.1` (for Java 6), `2.12.4` (for Java 7), or `2.17.1` (for Java 8 and later). +Upgrade to `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.1` (for Java 8 and later). In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than `java`. @@ -150,8 +150,8 @@ Additional vulnerability details discovered independently by Ash Fox of Google, |Summary |JNDI lookup can be exploited to execute arbitrary code loaded from an LDAP server |CVSS 3.x Score & Vector |10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) |Components affected |`log4j-core` -|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)` -|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0` (for Java 8 and later) +|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.2) ∪ [2.13.0, 2.17.0)` +|Versions fixed |`2.3.1` (for Java 6), `2.12.2` (for Java 7), and `2.17.0` (for Java 8 and later) |=== [#CVE-2021-44228-description] @@ -180,7 +180,7 @@ Log4j 1 configurations without `JMSAppender` are not impacted by this vulnerabil [#CVE-2021-44228-mitigation-log4j2] ===== Log4j 2 mitigation -Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 and later). +Upgrade to Log4j `2.3.1` (for Java 6), `2.12.2` (for Java 7), or `2.17.0` (for Java 8 and later). [#CVE-2021-44228-credits] ==== Credits @@ -203,7 +203,7 @@ This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team. |Summary |Improper validation of certificate with host mismatch in SMTP appender |CVSS 3.x Score & Vector |3.7 LOW (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) |Components affected |`log4j-core` -|Versions affected |`[2.0-beta1, 2.3.2) ∪ [2.4, 2.12.2) ∪ [2.13.0, 2.13.2)` +|Versions affected |`[2.0-beta1, 2.3.2) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.13.2)` |Versions fixed |`2.3.2` (for Java 6), `2.12.3` (for Java 7) and `2.13.2` (for Java 8 and later) |===
