This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch doc/vulnerabilities in repository https://gitbox.apache.org/repos/asf/logging-site.git
commit 34745cb9db2e9ff0df5a5db9fcf3f892f51ca051 Author: Piotr P. Karwasz <[email protected]> AuthorDate: Mon Jan 27 11:56:22 2025 +0100 Proofread CVE fix versions for `2.x` branch For the `2.x` branch: **CVE-2021-44228** (Log4Shell) was fixed in `2.15.0`: - c77b3cb39312b83b053d23a2158b99ac7de44dd3 - 001aaada7dab82c3c09cde5f8e14245dc9d8b454 **CVE-2021-45046** (Log4Shell through recursive lookup evaluation) was fixed in `2.16.0`: - c362aff473e9812798ff8f25f30a2619996605d5 - 27972043b76c9645476f561c5adc483dec6d3f5d **CVE-2021-45105** (DoS through recursive lookup evaluation) was fixed in `2.12.3`: - 806023265f8c905b2dd1d81fd2458f64b2ea0b5e **CVE-2021-44832** (RCE if you have access to configuration) was fixed in `2.12.3`: - 95b24f77e77e4f1e5cc794df5332643e944fd6f8 **Note**: Unless I am mistaken, version `2.17.1` didn't contain any security updates. --- _vulnerabilities.adoc | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/_vulnerabilities.adoc b/_vulnerabilities.adoc index 906b3821..31738d90 100644 --- a/_vulnerabilities.adoc +++ b/_vulnerabilities.adoc @@ -32,8 +32,8 @@ We only extend this mathematical notation with set union operator (i.e., `∪`) |Summary |JDBC appender is vulnerable to remote code execution in certain configurations |CVSS 3.x Score & Vector |6.6 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) |Components affected |`log4j-core` -|Versions affected |`[2.0-beta7, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.1)` -|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.1` (for Java 8 and later) +|Versions affected |`[2.0-beta7, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)` +|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 and later) |=== [#CVE-2021-44832-description] @@ -45,7 +45,7 @@ This issue is fixed by limiting JNDI data source names to the `java` protocol. [#CVE-2021-44832-mitigation] ==== Mitigation -Upgrade to `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.1` (for Java 8 and later). +Upgrade to `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 and later). In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than `java`. @@ -107,8 +107,8 @@ Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein |Summary |Thread Context Lookup is vulnerable to remote code execution in certain configurations |CVSS 3.x Score & Vector |9.0 CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) |Components affected |`log4j-core` -|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)` -|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0` (for Java 8 and later) +|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.16.0)` +|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.16.0` (for Java 8 and later) |=== [#CVE-2021-45046-description] @@ -127,7 +127,7 @@ Applications using only the `log4j-api` JAR file without the `log4j-core` JAR fi [#CVE-2021-45046-mitigation] ==== Mitigation -Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 and later). +Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.16.0` (for Java 8 and later). [#CVE-2021-45046-credits] ==== Credits @@ -150,8 +150,8 @@ Additional vulnerability details discovered independently by Ash Fox of Google, |Summary |JNDI lookup can be exploited to execute arbitrary code loaded from an LDAP server |CVSS 3.x Score & Vector |10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) |Components affected |`log4j-core` -|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.2) ∪ [2.13.0, 2.17.0)` -|Versions fixed |`2.3.1` (for Java 6), `2.12.2` (for Java 7), and `2.17.0` (for Java 8 and later) +|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.2) ∪ [2.13.0, 2.15.0)` +|Versions fixed |`2.3.1` (for Java 6), `2.12.2` (for Java 7), and `2.15.0` (for Java 8 and later) |=== [#CVE-2021-44228-description] @@ -180,7 +180,7 @@ Log4j 1 configurations without `JMSAppender` are not impacted by this vulnerabil [#CVE-2021-44228-mitigation-log4j2] ===== Log4j 2 mitigation -Upgrade to Log4j `2.3.1` (for Java 6), `2.12.2` (for Java 7), or `2.17.0` (for Java 8 and later). +Upgrade to Log4j `2.3.1` (for Java 6), `2.12.2` (for Java 7), or `2.15.0` (for Java 8 and later). [#CVE-2021-44228-credits] ==== Credits
