This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
     new 844193d5 Automatic Site Publish by Buildbot
844193d5 is described below

commit 844193d5933873026fd654a7a4d84b04c0790f83
Author: buildbot <us...@infra.apache.org>
AuthorDate: Fri Aug 22 06:25:17 2025 +0000

    Automatic Site Publish by Buildbot
---
 content/cyclonedx/vdr.xml | 479 ++++++++++++++++++++++++++++++++++++++++++++++
 content/feed.xml          |   2 +-
 2 files changed, 480 insertions(+), 1 deletion(-)

diff --git a/content/cyclonedx/vdr.xml b/content/cyclonedx/vdr.xml
new file mode 100644
index 00000000..110dc499
--- /dev/null
+++ b/content/cyclonedx/vdr.xml
@@ -0,0 +1,479 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to you under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<!-- This file is a Vulnerability Disclosure Report (VDR) covering all Apache 
Logging Services[1] projects.
+     This file adheres to the CycloneDX SBOM specification[2].
+
+     The latest version of this file can be found at 
https://logging.apache.org/cyclonedx/vdr.xml
+
+     All Apache Logging Services projects (e.g., Log4j) generate SBOMs 
containing `vulnerability-assertion` entries with links to this file.
+
+     If you need help in addressing these vulnerabilities, 
suggestions/corrections on the content, and/or reporting new vulnerabilities, 
please refer to the Log4j support page[3].
+
+     This file is maintained in version control[4].
+
+     To update the VDR:
+     1. Increment the `version` attribute in the `<bom>` element.
+     2. Update the `<timestamp>` element in the `<metadata>` section
+        to the current UTC date and time.
+     3. For each modified `<vulnerability>`, update its `<updated>` element.
+
+     [1] https://logging.apache.org
+     [2] https://cyclonedx.org
+     [3] https://logging.apache.org/log4j/2.x/support.html
+     [4] https://github.com/apache/logging-site/tree/cyclonedx
+     -->
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+     xmlns="http://cyclonedx.org/schema/bom/1.6";
+     xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6 
https://cyclonedx.org/schema/bom-1.6.xsd";
+     version="3"
+     serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06">
+
+  <metadata>
+    <timestamp>2025-08-17T11:18:06Z</timestamp>
+    <manufacturer>
+      <name>Apache Logging Services</name>
+      <url>https://logging.apache.org</url>
+    </manufacturer>
+  </metadata>
+
+  <!-- We add *dummy* components to refer to in `affects` blocks.
+       This is necessary, since not all Log4j components have SBOMs associated 
with them. -->
+  <components>
+    <component type="library" 
bom-ref="pkg:maven/org.apache.logging.log4j/log4j-core?type=jar">
+      <group>org.apache.logging.log4j</group>
+      <name>log4j-core</name>
+      <cpe>cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*</cpe>
+      <purl>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</purl>
+    </component>
+  </components>
+
+  <vulnerabilities>
+
+    <vulnerability>
+      <id>CVE-2021-44832</id>
+      <source>
+        <name>NVD</name>
+        <url>https://nvd.nist.gov/vuln/detail/CVE-2021-44832</url>
+      </source>
+      <ratings>
+        <rating>
+          <source>
+            <name>NVD</name>
+            <url>
+              
<![CDATA[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H&version=3.1]]></url>
+          </source>
+          <score>6.6</score>
+          <severity>medium</severity>
+          <method>CVSSv3</method>
+          <vector>AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H</vector>
+        </rating>
+      </ratings>
+      <cwes>
+        <cwe>20</cwe>
+        <cwe>74</cwe>
+      </cwes>
+      <description><![CDATA[An attacker with write access to the logging 
configuration can construct a malicious configuration using a JDBC Appender 
with a data source referencing a JNDI URI which can execute remote code.
+This issue is fixed by limiting JNDI data source names to the `java` 
protocol.]]></description>
+      <recommendation><![CDATA[Upgrade to `2.3.1` (for Java 6), `2.12.3` (for 
Java 7), or `2.17.0` (for Java 8 and later).
+
+In prior releases confirm that if the JDBC Appender is being used it is not 
configured to use any protocol other than `java`.]]></recommendation>
+      <created>2021-12-28T00:00:00Z</created>
+      <published>2021-12-28T00:00:00Z</published>
+      <updated>2025-08-17T11:18:06Z</updated>
+      <affects>
+        <target>
+          <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+          <versions>
+            <version>
+              <range><![CDATA[vers:maven/>=2.0-beta7|<2.3.1]]></range>
+            </version>
+            <version>
+              <range><![CDATA[vers:maven/>=2.4|<2.12.3]]></range>
+            </version>
+            <version>
+              <range><![CDATA[vers:maven/>=2.13.0|<2.17.0]]></range>
+            </version>
+          </versions>
+        </target>
+      </affects>
+    </vulnerability>
+
+    <vulnerability>
+      <id>CVE-2021-45105</id>
+      <source>
+        <name>NVD</name>
+        <url>https://nvd.nist.gov/vuln/detail/CVE-2021-45105</url>
+      </source>
+      <references>
+        <reference>
+          <id>LOG4J2-3230</id>
+          <source>
+            <name>Issue tracker</name>
+            <url>https://issues.apache.org/jira/browse/LOG4J2-3230</url>
+          </source>
+        </reference>
+      </references>
+      <ratings>
+        <rating>
+          <source>
+            <name>NVD</name>
+            <url>
+              
<![CDATA[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1]]></url>
+          </source>
+          <score>5.9</score>
+          <severity>medium</severity>
+          <method>CVSSv3</method>
+          <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</vector>
+        </rating>
+      </ratings>
+      <cwes>
+        <cwe>20</cwe>
+        <cwe>674</cwe>
+      </cwes>
+      <description><![CDATA[Log4j versions `2.0-alpha1` through `2.16.0` 
(excluding `2.3.1` and `2.12.3`), did not protect from uncontrolled recursion 
that can be implemented using self-referential lookups.
+When the logging configuration uses a non-default Pattern Layout with a 
Context Lookup (for example, `$${ctx:loginId}`), attackers with control over 
Thread Context Map (MDC) input data can craft malicious input data that 
contains a recursive lookup, resulting in a `StackOverflowError` that will 
terminate the process.]]></description>
+      <recommendation><![CDATA[Upgrade to `2.3.1` (for Java 6), `2.12.3` (for 
Java 7), or `2.17.0` (for Java 8 and later).
+
+Alternatively, this infinite recursion issue can be mitigated in configuration:
+
+* In PatternLayout in the logging configuration, replace Context Lookups like 
`${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (`%X`, 
`%mdc`, or `%MDC`).
+* Otherwise, in the configuration, remove references to Context Lookups like 
`${ctx:loginId}` or `$${ctx:loginId}` where they originate
+from sources external to the application such as HTTP headers or user input.
+Note that this mitigation is insufficient in releases older than `2.12.2` (for 
Java 7), and `2.16.0` (for Java 8 and later) as the issues fixed in those 
releases will still be present.]]></recommendation>
+      <created>2021-12-18T00:00:00Z</created>
+      <published>2021-12-18T00:00:00Z</published>
+      <updated>2022-10-06T00:00:00Z</updated>
+      <credits>
+        <individuals>
+          <individual>
+            <name>Hideki Okamoto</name>
+          </individual>
+          <individual>
+            <name>Guy Lederfein</name>
+          </individual>
+        </individuals>
+      </credits>
+      <affects>
+        <target>
+          <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+          <versions>
+            <version>
+              <range><![CDATA[vers:maven/>=2.0-alpha1|<2.3.1]]></range>
+            </version>
+            <version>
+              <range><![CDATA[vers:maven/>=2.4|<2.12.3]]></range>
+            </version>
+            <version>
+              <range><![CDATA[vers:maven/>=2.13.0|<2.17.0]]></range>
+            </version>
+          </versions>
+        </target>
+      </affects>
+    </vulnerability>
+
+    <vulnerability>
+      <id>CVE-2021-45046</id>
+      <source>
+        <name>NVD</name>
+        <url>https://nvd.nist.gov/vuln/detail/CVE-2021-45046</url>
+      </source>
+      <references>
+        <reference>
+          <id>LOG4J2-3221</id>
+          <source>
+            <name>Issue tracker</name>
+            <url>https://issues.apache.org/jira/browse/LOG4J2-3221</url>
+          </source>
+        </reference>
+      </references>
+      <ratings>
+        <rating>
+          <source>
+            <name>NVD</name>
+            <url>
+              
<![CDATA[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1]]></url>
+          </source>
+          <score>9.0</score>
+          <severity>critical</severity>
+          <method>CVSSv3</method>
+          <vector>AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H</vector>
+        </rating>
+      </ratings>
+      <cwes>
+        <cwe>917</cwe>
+      </cwes>
+      <description><![CDATA[It was found that the fix to address 
CVE-2021-44228 in Log4j `2.15.0` was incomplete in certain non-default 
configurations.
+When the logging configuration uses a non-default Pattern Layout with a Thread 
Context Lookup (for example, `$${ctx:loginId}`), attackers with control over 
Thread Context Map (MDC) can craft malicious input data using a JNDI Lookup 
pattern, resulting in an information leak and remote code execution in some 
environments and local code execution in all environments.
+Remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and 
Alpine Linux.
+
+Note that this vulnerability is not limited to just the JNDI lookup.
+Any other Lookup could also be included in a Thread Context Map variable and 
possibly have private details exposed to anyone with access to the 
logs.]]></description>
+      <recommendation><![CDATA[Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3` 
(for Java 7), or `2.16.0` (for Java 8 and later).]]></recommendation>
+      <created>2021-12-14T00:00:00Z</created>
+      <published>2021-12-14T00:00:00Z</published>
+      <updated>2025-08-17T11:18:06Z</updated>
+      <credits>
+        <individuals>
+          <individual>
+            <name>Kai Mindermann</name>
+          </individual>
+          <individual>
+            <name>4ra1n</name>
+          </individual>
+          <individual>
+            <name>Ash Fox</name>
+          </individual>
+          <individual>
+            <name>Alvaro Muñoz</name>
+          </individual>
+          <individual>
+            <name>Tony Torralba</name>
+          </individual>
+          <individual>
+            <name>Anthony Weems</name>
+          </individual>
+          <individual>
+            <name>RyotaK</name>
+          </individual>
+        </individuals>
+      </credits>
+      <affects>
+        <target>
+          <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+          <versions>
+            <version>
+              <range><![CDATA[vers:maven/>=2.0-beta9|<2.3.1]]></range>
+            </version>
+            <version>
+              <range><![CDATA[vers:maven/>=2.4|<2.12.3]]></range>
+            </version>
+            <version>
+              <range><![CDATA[vers:maven/>=2.13.0|<2.16.0]]></range>
+            </version>
+          </versions>
+        </target>
+      </affects>
+    </vulnerability>
+
+    <vulnerability>
+      <id>CVE-2021-44228</id>
+      <source>
+        <name>NVD</name>
+        <url>https://nvd.nist.gov/vuln/detail/CVE-2021-44228</url>
+      </source>
+      <references>
+        <reference>
+          <id>LOG4J2-3198</id>
+          <source>
+            <name>Issue tracker</name>
+            <url>https://issues.apache.org/jira/browse/LOG4J2-3198</url>
+          </source>
+        </reference>
+        <reference>
+          <id>LOG4J2-3201</id>
+          <source>
+            <name>Issue tracker</name>
+            <url>https://issues.apache.org/jira/browse/LOG4J2-3201</url>
+          </source>
+        </reference>
+      </references>
+      <ratings>
+        <rating>
+          <source>
+            <name>NVD</name>
+            
<url><![CDATA[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1]]></url>
+          </source>
+          <score>10.0</score>
+          <severity>critical</severity>
+          <method>CVSSv3</method>
+          <vector>AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</vector>
+        </rating>
+      </ratings>
+      <cwes>
+        <cwe>20</cwe>
+        <cwe>400</cwe>
+        <cwe>502</cwe>
+        <cwe>917</cwe>
+      </cwes>
+      <description><![CDATA[In Log4j, the JNDI features used in 
configurations, log messages, and parameters do not protect against 
attacker-controlled LDAP and other JNDI related endpoints.
+An attacker who can control log messages or log message parameters can execute 
arbitrary code loaded from LDAP servers.]]></description>
+      <recommendation><![CDATA[Upgrade to Log4j `2.3.1` (for Java 6), `2.12.2` 
(for Java 7), or `2.15.0` (for Java 8 and later).]]></recommendation>
+      <created>2021-12-10T00:00:00Z</created>
+      <published>2021-12-10T00:00:00Z</published>
+      <updated>2025-08-17T11:18:06Z</updated>
+      <credits>
+        <individuals>
+          <individual>
+            <name>Chen Zhaojun</name>
+          </individual>
+        </individuals>
+      </credits>
+      <affects>
+        <target>
+          <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+          <versions>
+            <version>
+              <range><![CDATA[vers:maven/>=2.0-beta9|<2.3.1]]></range>
+            </version>
+            <version>
+              <range><![CDATA[vers:maven/>=2.4|<2.12.2]]></range>
+            </version>
+            <version>
+              <range><![CDATA[vers:maven/>=2.13.0|<2.15.0]]></range>
+            </version>
+          </versions>
+        </target>
+      </affects>
+    </vulnerability>
+
+    <vulnerability>
+      <id>CVE-2020-9488</id>
+      <source>
+        <name>NVD</name>
+        <url>https://nvd.nist.gov/vuln/detail/CVE-2020-9488</url>
+      </source>
+      <references>
+        <reference>
+          <id>LOG4J2-2819</id>
+          <source>
+            <name>Issue tracker</name>
+            <url>https://issues.apache.org/jira/browse/LOG4J2-2819</url>
+          </source>
+        </reference>
+      </references>
+      <ratings>
+        <rating>
+          <source>
+            <name>NVD</name>
+            
<url><![CDATA[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N&version=3.1]]></url>
+          </source>
+          <score>3.7</score>
+          <severity>low</severity>
+          <method>CVSSv3</method>
+          <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</vector>
+        </rating>
+      </ratings>
+      <cwes>
+        <cwe>295</cwe>
+      </cwes>
+      <description><![CDATA[Improper validation of certificate with host 
mismatch in SMTP appender.
+This could allow an SMTPS connection to be intercepted by a man-in-the-middle 
attack which could leak any log
+messages sent through that appender.
+
+The reported issue was caused by an error in `SslConfiguration`.
+Any element using `SslConfiguration` in the Log4j `Configuration` is also 
affected by this issue.
+This includes `HttpAppender`, `SocketAppender`, and `SyslogAppender`.
+Usages of `SslConfiguration` that are configured via system properties are not 
affected.]]></description>
+      <recommendation><![CDATA[Upgrade to `2.3.2` (Java 6), `2.12.3` (Java 7) 
or `2.13.2` (Java 8 and later).
+
+Alternatively, users can set the `mail.smtp.ssl.checkserveridentity` system 
property to `true` to enable SMTPS hostname verification for all SMTPS mail 
sessions.]]></recommendation>
+      <created>2017-04-27T00:00:00Z</created>
+      <published>2017-04-27T00:00:00Z</published>
+      <updated>2025-08-17T11:18:06Z</updated>
+      <credits>
+        <individuals>
+          <individual>
+            <name>Peter Stöckli</name>
+          </individual>
+        </individuals>
+      </credits>
+      <affects>
+        <target>
+          <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+          <versions>
+            <version>
+              <range><![CDATA[vers:maven/>=2.0-beta1|<2.3.2]]></range>
+            </version>
+            <version>
+              <range><![CDATA[vers:maven/>=2.4|<2.12.3]]></range>
+            </version>
+            <version>
+              <version><![CDATA[vers:maven/>=2.13.0|<2.13.2]]></version>
+            </version>
+          </versions>
+        </target>
+      </affects>
+    </vulnerability>
+
+    <vulnerability>
+      <id>CVE-2017-5645</id>
+      <source>
+        <name>NVD</name>
+        <url>https://nvd.nist.gov/vuln/detail/CVE-2017-5645</url>
+      </source>
+      <references>
+        <reference>
+          <id>LOG4J2-1863</id>
+          <source>
+            <name>Issue tracker</name>
+            <url>https://issues.apache.org/jira/browse/LOG4J2-1863</url>
+          </source>
+        </reference>
+        <reference>
+          <id>the security fix commit</id>
+          <source>
+            <name>Source code repository</name>
+            <url>https://github.com/apache/logging-log4j2/commit/5dcc192</url>
+          </source>
+        </reference>
+      </references>
+      <ratings>
+        <rating>
+          <source>
+            <name>NVD</name>
+            
<url><![CDATA[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P)&version=2.0]]></url>
+          </source>
+          <score>7.5</score>
+          <severity>high</severity>
+          <method>CVSSv2</method>
+          <vector>AV:N/AC:L/Au:N/C:P/I:P/A:P</vector>
+        </rating>
+      </ratings>
+      <cwes>
+        <cwe>502</cwe>
+      </cwes>
+      <description><![CDATA[When using the TCP socket server or UDP socket 
server to receive serialized log events from another application, a specially 
crafted binary payload can be sent that, when deserialized, can execute 
arbitrary code.]]></description>
+      <recommendation><![CDATA[Java 7 and above users should migrate to 
version `2.8.2` or avoid using the socket server classes.
+Java 6 users should avoid using the TCP or UDP socket server classes, or they 
can manually backport the security fix commit[1] from `2.8.2`.
+
+[1] https://github.com/apache/logging-log4j2/commit/5dcc192]]></recommendation>
+      <created>2017-04-17T00:00:00Z</created>
+      <published>2017-04-17T00:00:00Z</published>
+      <updated>2022-04-04T00:00:00Z</updated>
+      <credits>
+        <individuals>
+          <individual>
+            <name>Marcio Almeida de Macedo</name>
+          </individual>
+        </individuals>
+      </credits>
+      <affects>
+        <target>
+          <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+          <versions>
+            <version>
+              <range><![CDATA[vers:maven/>=2.0-alpha1|<2.8.2]]></range>
+            </version>
+          </versions>
+        </target>
+      </affects>
+    </vulnerability>
+
+  </vulnerabilities>
+
+</bom>
diff --git a/content/feed.xml b/content/feed.xml
index b16e80bc..6c3a0666 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?><feed 
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/"; 
version="4.4.1">Jekyll</generator><link href="/feed.xml" rel="self" 
type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" 
/><updated>2025-08-17T11:05:13+00:00</updated><id>/feed.xml</id><title 
type="html">Apache Software Foundation - Logging 
Services</title><subtitle>Write an awesome description for your new site here. 
You can edit this line in _ [...]
+<?xml version="1.0" encoding="utf-8"?><feed 
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/"; 
version="4.4.1">Jekyll</generator><link href="/feed.xml" rel="self" 
type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" 
/><updated>2025-08-22T06:25:16+00:00</updated><id>/feed.xml</id><title 
type="html">Apache Software Foundation - Logging 
Services</title><subtitle>Write an awesome description for your new site here. 
You can edit this line in _ [...]
 
 <p>A <strong>Vulnerability Exploitability eXchange (VEX)</strong> is a 
machine-readable file used to indicate whether vulnerabilities in an 
application’s third-party dependencies are actually exploitable.</p>
 

Reply via email to