This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-staging in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/asf-staging by this push: new 844193d5 Automatic Site Publish by Buildbot 844193d5 is described below commit 844193d5933873026fd654a7a4d84b04c0790f83 Author: buildbot <us...@infra.apache.org> AuthorDate: Fri Aug 22 06:25:17 2025 +0000 Automatic Site Publish by Buildbot --- content/cyclonedx/vdr.xml | 479 ++++++++++++++++++++++++++++++++++++++++++++++ content/feed.xml | 2 +- 2 files changed, 480 insertions(+), 1 deletion(-) diff --git a/content/cyclonedx/vdr.xml b/content/cyclonedx/vdr.xml new file mode 100644 index 00000000..110dc499 --- /dev/null +++ b/content/cyclonedx/vdr.xml @@ -0,0 +1,479 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to you under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> +<!-- This file is a Vulnerability Disclosure Report (VDR) covering all Apache Logging Services[1] projects. + This file adheres to the CycloneDX SBOM specification[2]. + + The latest version of this file can be found at https://logging.apache.org/cyclonedx/vdr.xml + + All Apache Logging Services projects (e.g., Log4j) generate SBOMs containing `vulnerability-assertion` entries with links to this file. + + If you need help in addressing these vulnerabilities, suggestions/corrections on the content, and/or reporting new vulnerabilities, please refer to the Log4j support page[3]. + + This file is maintained in version control[4]. + + To update the VDR: + 1. Increment the `version` attribute in the `<bom>` element. + 2. Update the `<timestamp>` element in the `<metadata>` section + to the current UTC date and time. + 3. For each modified `<vulnerability>`, update its `<updated>` element. + + [1] https://logging.apache.org + [2] https://cyclonedx.org + [3] https://logging.apache.org/log4j/2.x/support.html + [4] https://github.com/apache/logging-site/tree/cyclonedx + --> +<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns="http://cyclonedx.org/schema/bom/1.6" + xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6 https://cyclonedx.org/schema/bom-1.6.xsd" + version="3" + serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06"> + + <metadata> + <timestamp>2025-08-17T11:18:06Z</timestamp> + <manufacturer> + <name>Apache Logging Services</name> + <url>https://logging.apache.org</url> + </manufacturer> + </metadata> + + <!-- We add *dummy* components to refer to in `affects` blocks. + This is necessary, since not all Log4j components have SBOMs associated with them. --> + <components> + <component type="library" bom-ref="pkg:maven/org.apache.logging.log4j/log4j-core?type=jar"> + <group>org.apache.logging.log4j</group> + <name>log4j-core</name> + <cpe>cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*</cpe> + <purl>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</purl> + </component> + </components> + + <vulnerabilities> + + <vulnerability> + <id>CVE-2021-44832</id> + <source> + <name>NVD</name> + <url>https://nvd.nist.gov/vuln/detail/CVE-2021-44832</url> + </source> + <ratings> + <rating> + <source> + <name>NVD</name> + <url> + <![CDATA[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H&version=3.1]]></url> + </source> + <score>6.6</score> + <severity>medium</severity> + <method>CVSSv3</method> + <vector>AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H</vector> + </rating> + </ratings> + <cwes> + <cwe>20</cwe> + <cwe>74</cwe> + </cwes> + <description><![CDATA[An attacker with write access to the logging configuration can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. +This issue is fixed by limiting JNDI data source names to the `java` protocol.]]></description> + <recommendation><![CDATA[Upgrade to `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 and later). + +In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than `java`.]]></recommendation> + <created>2021-12-28T00:00:00Z</created> + <published>2021-12-28T00:00:00Z</published> + <updated>2025-08-17T11:18:06Z</updated> + <affects> + <target> + <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref> + <versions> + <version> + <range><![CDATA[vers:maven/>=2.0-beta7|<2.3.1]]></range> + </version> + <version> + <range><![CDATA[vers:maven/>=2.4|<2.12.3]]></range> + </version> + <version> + <range><![CDATA[vers:maven/>=2.13.0|<2.17.0]]></range> + </version> + </versions> + </target> + </affects> + </vulnerability> + + <vulnerability> + <id>CVE-2021-45105</id> + <source> + <name>NVD</name> + <url>https://nvd.nist.gov/vuln/detail/CVE-2021-45105</url> + </source> + <references> + <reference> + <id>LOG4J2-3230</id> + <source> + <name>Issue tracker</name> + <url>https://issues.apache.org/jira/browse/LOG4J2-3230</url> + </source> + </reference> + </references> + <ratings> + <rating> + <source> + <name>NVD</name> + <url> + <![CDATA[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1]]></url> + </source> + <score>5.9</score> + <severity>medium</severity> + <method>CVSSv3</method> + <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</vector> + </rating> + </ratings> + <cwes> + <cwe>20</cwe> + <cwe>674</cwe> + </cwes> + <description><![CDATA[Log4j versions `2.0-alpha1` through `2.16.0` (excluding `2.3.1` and `2.12.3`), did not protect from uncontrolled recursion that can be implemented using self-referential lookups. +When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.]]></description> + <recommendation><![CDATA[Upgrade to `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 and later). + +Alternatively, this infinite recursion issue can be mitigated in configuration: + +* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (`%X`, `%mdc`, or `%MDC`). +* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate +from sources external to the application such as HTTP headers or user input. +Note that this mitigation is insufficient in releases older than `2.12.2` (for Java 7), and `2.16.0` (for Java 8 and later) as the issues fixed in those releases will still be present.]]></recommendation> + <created>2021-12-18T00:00:00Z</created> + <published>2021-12-18T00:00:00Z</published> + <updated>2022-10-06T00:00:00Z</updated> + <credits> + <individuals> + <individual> + <name>Hideki Okamoto</name> + </individual> + <individual> + <name>Guy Lederfein</name> + </individual> + </individuals> + </credits> + <affects> + <target> + <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref> + <versions> + <version> + <range><![CDATA[vers:maven/>=2.0-alpha1|<2.3.1]]></range> + </version> + <version> + <range><![CDATA[vers:maven/>=2.4|<2.12.3]]></range> + </version> + <version> + <range><![CDATA[vers:maven/>=2.13.0|<2.17.0]]></range> + </version> + </versions> + </target> + </affects> + </vulnerability> + + <vulnerability> + <id>CVE-2021-45046</id> + <source> + <name>NVD</name> + <url>https://nvd.nist.gov/vuln/detail/CVE-2021-45046</url> + </source> + <references> + <reference> + <id>LOG4J2-3221</id> + <source> + <name>Issue tracker</name> + <url>https://issues.apache.org/jira/browse/LOG4J2-3221</url> + </source> + </reference> + </references> + <ratings> + <rating> + <source> + <name>NVD</name> + <url> + <![CDATA[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1]]></url> + </source> + <score>9.0</score> + <severity>critical</severity> + <method>CVSSv3</method> + <vector>AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H</vector> + </rating> + </ratings> + <cwes> + <cwe>917</cwe> + </cwes> + <description><![CDATA[It was found that the fix to address CVE-2021-44228 in Log4j `2.15.0` was incomplete in certain non-default configurations. +When the logging configuration uses a non-default Pattern Layout with a Thread Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments. +Remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and Alpine Linux. + +Note that this vulnerability is not limited to just the JNDI lookup. +Any other Lookup could also be included in a Thread Context Map variable and possibly have private details exposed to anyone with access to the logs.]]></description> + <recommendation><![CDATA[Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.16.0` (for Java 8 and later).]]></recommendation> + <created>2021-12-14T00:00:00Z</created> + <published>2021-12-14T00:00:00Z</published> + <updated>2025-08-17T11:18:06Z</updated> + <credits> + <individuals> + <individual> + <name>Kai Mindermann</name> + </individual> + <individual> + <name>4ra1n</name> + </individual> + <individual> + <name>Ash Fox</name> + </individual> + <individual> + <name>Alvaro Muñoz</name> + </individual> + <individual> + <name>Tony Torralba</name> + </individual> + <individual> + <name>Anthony Weems</name> + </individual> + <individual> + <name>RyotaK</name> + </individual> + </individuals> + </credits> + <affects> + <target> + <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref> + <versions> + <version> + <range><![CDATA[vers:maven/>=2.0-beta9|<2.3.1]]></range> + </version> + <version> + <range><![CDATA[vers:maven/>=2.4|<2.12.3]]></range> + </version> + <version> + <range><![CDATA[vers:maven/>=2.13.0|<2.16.0]]></range> + </version> + </versions> + </target> + </affects> + </vulnerability> + + <vulnerability> + <id>CVE-2021-44228</id> + <source> + <name>NVD</name> + <url>https://nvd.nist.gov/vuln/detail/CVE-2021-44228</url> + </source> + <references> + <reference> + <id>LOG4J2-3198</id> + <source> + <name>Issue tracker</name> + <url>https://issues.apache.org/jira/browse/LOG4J2-3198</url> + </source> + </reference> + <reference> + <id>LOG4J2-3201</id> + <source> + <name>Issue tracker</name> + <url>https://issues.apache.org/jira/browse/LOG4J2-3201</url> + </source> + </reference> + </references> + <ratings> + <rating> + <source> + <name>NVD</name> + <url><![CDATA[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1]]></url> + </source> + <score>10.0</score> + <severity>critical</severity> + <method>CVSSv3</method> + <vector>AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</vector> + </rating> + </ratings> + <cwes> + <cwe>20</cwe> + <cwe>400</cwe> + <cwe>502</cwe> + <cwe>917</cwe> + </cwes> + <description><![CDATA[In Log4j, the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. +An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers.]]></description> + <recommendation><![CDATA[Upgrade to Log4j `2.3.1` (for Java 6), `2.12.2` (for Java 7), or `2.15.0` (for Java 8 and later).]]></recommendation> + <created>2021-12-10T00:00:00Z</created> + <published>2021-12-10T00:00:00Z</published> + <updated>2025-08-17T11:18:06Z</updated> + <credits> + <individuals> + <individual> + <name>Chen Zhaojun</name> + </individual> + </individuals> + </credits> + <affects> + <target> + <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref> + <versions> + <version> + <range><![CDATA[vers:maven/>=2.0-beta9|<2.3.1]]></range> + </version> + <version> + <range><![CDATA[vers:maven/>=2.4|<2.12.2]]></range> + </version> + <version> + <range><![CDATA[vers:maven/>=2.13.0|<2.15.0]]></range> + </version> + </versions> + </target> + </affects> + </vulnerability> + + <vulnerability> + <id>CVE-2020-9488</id> + <source> + <name>NVD</name> + <url>https://nvd.nist.gov/vuln/detail/CVE-2020-9488</url> + </source> + <references> + <reference> + <id>LOG4J2-2819</id> + <source> + <name>Issue tracker</name> + <url>https://issues.apache.org/jira/browse/LOG4J2-2819</url> + </source> + </reference> + </references> + <ratings> + <rating> + <source> + <name>NVD</name> + <url><![CDATA[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N&version=3.1]]></url> + </source> + <score>3.7</score> + <severity>low</severity> + <method>CVSSv3</method> + <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</vector> + </rating> + </ratings> + <cwes> + <cwe>295</cwe> + </cwes> + <description><![CDATA[Improper validation of certificate with host mismatch in SMTP appender. +This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log +messages sent through that appender. + +The reported issue was caused by an error in `SslConfiguration`. +Any element using `SslConfiguration` in the Log4j `Configuration` is also affected by this issue. +This includes `HttpAppender`, `SocketAppender`, and `SyslogAppender`. +Usages of `SslConfiguration` that are configured via system properties are not affected.]]></description> + <recommendation><![CDATA[Upgrade to `2.3.2` (Java 6), `2.12.3` (Java 7) or `2.13.2` (Java 8 and later). + +Alternatively, users can set the `mail.smtp.ssl.checkserveridentity` system property to `true` to enable SMTPS hostname verification for all SMTPS mail sessions.]]></recommendation> + <created>2017-04-27T00:00:00Z</created> + <published>2017-04-27T00:00:00Z</published> + <updated>2025-08-17T11:18:06Z</updated> + <credits> + <individuals> + <individual> + <name>Peter Stöckli</name> + </individual> + </individuals> + </credits> + <affects> + <target> + <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref> + <versions> + <version> + <range><![CDATA[vers:maven/>=2.0-beta1|<2.3.2]]></range> + </version> + <version> + <range><![CDATA[vers:maven/>=2.4|<2.12.3]]></range> + </version> + <version> + <version><![CDATA[vers:maven/>=2.13.0|<2.13.2]]></version> + </version> + </versions> + </target> + </affects> + </vulnerability> + + <vulnerability> + <id>CVE-2017-5645</id> + <source> + <name>NVD</name> + <url>https://nvd.nist.gov/vuln/detail/CVE-2017-5645</url> + </source> + <references> + <reference> + <id>LOG4J2-1863</id> + <source> + <name>Issue tracker</name> + <url>https://issues.apache.org/jira/browse/LOG4J2-1863</url> + </source> + </reference> + <reference> + <id>the security fix commit</id> + <source> + <name>Source code repository</name> + <url>https://github.com/apache/logging-log4j2/commit/5dcc192</url> + </source> + </reference> + </references> + <ratings> + <rating> + <source> + <name>NVD</name> + <url><![CDATA[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P)&version=2.0]]></url> + </source> + <score>7.5</score> + <severity>high</severity> + <method>CVSSv2</method> + <vector>AV:N/AC:L/Au:N/C:P/I:P/A:P</vector> + </rating> + </ratings> + <cwes> + <cwe>502</cwe> + </cwes> + <description><![CDATA[When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.]]></description> + <recommendation><![CDATA[Java 7 and above users should migrate to version `2.8.2` or avoid using the socket server classes. +Java 6 users should avoid using the TCP or UDP socket server classes, or they can manually backport the security fix commit[1] from `2.8.2`. + +[1] https://github.com/apache/logging-log4j2/commit/5dcc192]]></recommendation> + <created>2017-04-17T00:00:00Z</created> + <published>2017-04-17T00:00:00Z</published> + <updated>2022-04-04T00:00:00Z</updated> + <credits> + <individuals> + <individual> + <name>Marcio Almeida de Macedo</name> + </individual> + </individuals> + </credits> + <affects> + <target> + <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref> + <versions> + <version> + <range><![CDATA[vers:maven/>=2.0-alpha1|<2.8.2]]></range> + </version> + </versions> + </target> + </affects> + </vulnerability> + + </vulnerabilities> + +</bom> diff --git a/content/feed.xml b/content/feed.xml index b16e80bc..6c3a0666 100644 --- a/content/feed.xml +++ b/content/feed.xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.4.1">Jekyll</generator><link href="/feed.xml" rel="self" type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" /><updated>2025-08-17T11:05:13+00:00</updated><id>/feed.xml</id><title type="html">Apache Software Foundation - Logging Services</title><subtitle>Write an awesome description for your new site here. You can edit this line in _ [...] +<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.4.1">Jekyll</generator><link href="/feed.xml" rel="self" type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" /><updated>2025-08-22T06:25:16+00:00</updated><id>/feed.xml</id><title type="html">Apache Software Foundation - Logging Services</title><subtitle>Write an awesome description for your new site here. You can edit this line in _ [...] <p>A <strong>Vulnerability Exploitability eXchange (VEX)</strong> is a machine-readable file used to indicate whether vulnerabilities in an application’s third-party dependencies are actually exploitable.</p>