This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch doc/vulnerabilities in repository https://gitbox.apache.org/repos/asf/logging-site.git
commit 4109a966b059acf701759fb483c0d91cc5bcf5e4 Author: Piotr P. Karwasz <[email protected]> AuthorDate: Mon Jan 27 09:15:03 2025 +0100 Proofread CVE fix versions for `2.3.x` branch For the `2.3.x` branch: **CVE-2017-5645** (server class) was never fixed, the TCP/UDP socket server is still there. **CVE-2020-9488** (host name validation) was fixed in `2.3.2`: - 3c62f0bea692456b1b5039d3bcc1c3e0ba65146a **CVE-2021-44228** (Log4Shell) was fixed in `2.3.1`: - be848dacbac6df30c4f32b2852e24446033ecf79 - f6564bb993d547d0a371b75d869042c334bf57f0 **CVE-2021-45046** (Log4Shell through recursive lookup evaluation) was fixed in `2.3.1`: - f6564bb993d547d0a371b75d869042c334bf57f0 **CVE-2021-45105** (DoS through recursive lookup evaluation) was fixed in `2.3.1`: - ce6b78d082aae89089cb3ad25cdd46e9ec70a70b **CVE-2021-44832** (RCE if you have access to configuration) was fixed in `2.3.1`: - f6564bb993d547d0a371b75d869042c334bf57f0 --- _vulnerabilities.adoc | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/_vulnerabilities.adoc b/_vulnerabilities.adoc index 7fb02b69..2c14e3ec 100644 --- a/_vulnerabilities.adoc +++ b/_vulnerabilities.adoc @@ -32,8 +32,8 @@ We only extend this mathematical notation with set union operator (i.e., `∪`) |Summary |JDBC appender is vulnerable to remote code execution in certain configurations |CVSS 3.x Score & Vector |6.6 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) |Components affected |`log4j-core` -|Versions affected |`[2.0-beta7, 2.3.2) ∪ [2.4, 2.12.4) ∪ [2.13.0, 2.17.1)` -|Versions fixed |`2.3.2` (for Java 6), `2.12.4` (for Java 7), or `2.17.1` (for Java 8 and later) +|Versions affected |`[2.0-beta7, 2.3.1) ∪ [2.4, 2.12.4) ∪ [2.13.0, 2.17.1)` +|Versions fixed |`2.3.1` (for Java 6), `2.12.4` (for Java 7), or `2.17.1` (for Java 8 and later) |=== [#CVE-2021-44832-description] @@ -45,13 +45,14 @@ This issue is fixed by limiting JNDI data source names to the `java` protocol. [#CVE-2021-44832-mitigation] ==== Mitigation -Upgrade to `2.3.2` (for Java 6), `2.12.4` (for Java 7), or `2.17.1` (for Java 8 and later). +Upgrade to `2.3.1` (for Java 6), `2.12.4` (for Java 7), or `2.17.1` (for Java 8 and later). In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than `java`. [#CVE-2021-44832-references] ==== References - {cve-url-prefix}/CVE-2021-44832[CVE-2021-44832] +- https://issues.apache.org/jira/browse/LOG4J2-3242[LOG4J2-3242] [#CVE-2021-45105] === {cve-url-prefix}/CVE-2021-45105[CVE-2021-45105] @@ -192,6 +193,7 @@ This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team. - {cve-url-prefix}/CVE-2021-44228[CVE-2021-44228] - https://issues.apache.org/jira/browse/LOG4J2-3198[LOG4J2-3198] - https://issues.apache.org/jira/browse/LOG4J2-3201[LOG4J2-3201] +- https://issues.apache.org/jira/browse/LOG4J2-3242[LOG4J2-3242] [#CVE-2020-9488] === {cve-url-prefix}/CVE-2020-9488[CVE-2020-9488] @@ -201,8 +203,8 @@ This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team. |Summary |Improper validation of certificate with host mismatch in SMTP appender |CVSS 3.x Score & Vector |3.7 LOW (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) |Components affected |`log4j-core` -|Versions affected |`[2.0-beta1, 2.12.3) ∪ [2.13.1, 2.13.2)` -|Versions fixed |`2.12.3` (Java 7) and `2.13.2` (Java 8 and later) +|Versions affected |`[2.0-beta1, 2.3.2) ∪ [2.4, 2.12.2) ∪ [2.13.0, 2.13.2)` +|Versions fixed |`2.3.2` (for Java 6), `2.12.3` (for Java 7) and `2.13.2` (for Java 8 and later) |=== [#CVE-2020-9488-description] @@ -220,7 +222,7 @@ Usages of `SslConfiguration` that are configured via system properties are not a [#CVE-2020-9488-mitigation] ==== Mitigation -Upgrade to `2.12.3` (Java 7) or `2.13.2` (Java 8 and later). +Upgrade to `2.3.2` (Java 6), `2.12.3` (Java 7) or `2.13.2` (Java 8 and later). Alternatively, users can set the `mail.smtp.ssl.checkserveridentity` system property to `true` to enable SMTPS hostname verification for all SMTPS mail sessions. @@ -244,7 +246,7 @@ This issue was discovered by Peter Stöckli. |CVSS 2.0 Score & Vector |7.5 HIGH (AV:N/AC:L/Au:N/C:P/I:P/A:P) |Components affected |`log4j-core` |Versions affected |`[2.0-alpha1, 2.8.2)` -|Versions fixed |`2.8.2` (Java 7) +|Versions fixed |`2.8.2` (for Java 7 and later) |=== [#CVE-2017-5645-description]
