This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/logging-site.git
commit 7ec065038d94b445d03633cd6d7a409f4acc8169 Author: Piotr P. Karwasz <[email protected]> AuthorDate: Fri Aug 22 09:58:00 2025 +0200 docs: add CVE-2025-54813 details Document the improper escaping of special elements in `JSONLayout` in Apache Log4cxx. --- _vulnerabilities.adoc | 36 ++++++++++++++++++++++++++++++++++-- cyclonedx/vdr.xml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 85 insertions(+), 2 deletions(-) diff --git a/_vulnerabilities.adoc b/_vulnerabilities.adoc index fc8f4cad..6601046e 100644 --- a/_vulnerabilities.adoc +++ b/_vulnerabilities.adoc @@ -29,6 +29,38 @@ Version ranges follow the https://github.com/package-url/vers-spec/blob/main/VER For brevity, mathematical interval notation is used, with the union operator (`∪`) to represent multiple ranges. ==== +[#CVE-2025-54813] +== {cve-url-prefix}/CVE-2025-54812[CVE-2025-54813] + +[cols="1h,5"] +|=== +|Summary |Improper escaping with JSONLayout +|CVSS 4.x Score & Vector |6.3 MEDIUM (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N) +|Components affected |Apache Log4cxx +|Versions affected |`[0.11.0, 1.5.0)` +|Versions fixed |`1.5.0` +|=== + +[#CVE-2025-54813-description] +=== Description + +When using `JSONLayout`, not all payload bytes are properly escaped. +If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON message. +This may prevent applications that consume these logs from correctly interpreting the information within them. + +[#CVE-2025-54813-remediation] +=== Remediation +Users are recommended to upgrade to version `1.5.0`, which fixes the issue. + +[#CVE-2025-54813-credits] +=== Credits +This issue was discovered and remediated with support from the Sovereign Tech Agency, through the https://yeswehack.com/programs/log4j-bug-bounty-program[Apache Log4j Bug Bounty Program on YesWeHack]. + +[#CVE-2025-54813-references] +=== References +* {cve-url-prefix}/CVE-2025-54813[CVE-2025-54813] +* https://github.com/apache/logging-log4cxx/pull/512[Pull request that fixes the issue] + [#CVE-2025-54812] == {cve-url-prefix}/CVE-2025-54812[CVE-2025-54812] @@ -125,8 +157,8 @@ Upgrade to `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 Alternatively, this infinite recursion issue can be mitigated in configuration: -* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (`%X`, `%mdc`, or `%MDC`). -* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate +* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `++$$++{ctx:loginId}` with Thread Context Map patterns (`%X`, `%mdc`, or `%MDC`). +* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `++$$++{ctx:loginId}` where they originate from sources external to the application such as HTTP headers or user input. Note that this mitigation is insufficient in releases older than `2.12.2` (for Java 7), and `2.16.0` (for Java 8 and later) as the issues fixed in those releases will still be present. diff --git a/cyclonedx/vdr.xml b/cyclonedx/vdr.xml index 78d9f196..f9d382b1 100644 --- a/cyclonedx/vdr.xml +++ b/cyclonedx/vdr.xml @@ -67,6 +67,57 @@ <vulnerabilities> + <vulnerability> + <id>CVE-2025-54813</id> + <source> + <name>NVD</name> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-54813</url> + </source> + <ratings> + <rating> + <source> + <name>NVD</name> + <url> + https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator?vector=AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N + </url> + </source> + <score>6.3</score> + <severity>medium</severity> + <method>CVSSv4</method> + <vector>AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N</vector> + </rating> + </ratings> + <cwes> + <cwe>117</cwe> + </cwes> + <description><![CDATA[When using `JSONLayout`, not all payload bytes are properly escaped. +If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON message. +This may prevent applications that consume these logs from correctly interpreting the information within them.]]></description> + <recommendation> + <![CDATA[Users are recommended to upgrade to version `1.5.0`, which fixes the issue.]]></recommendation> + <created>2025-08-22T07:31:10Z</created> + <published>2025-08-22T07:31:10Z</published> + <updated>2025-08-22T07:31:10Z</updated> + <credits> + <organizations> + <organization> + <name>Sovereign Tech Agency</name> + <url>https://www.sovereign.tech/</url> + </organization> + </organizations> + </credits> + <affects> + <target> + <ref>logcxx</ref> + <versions> + <version> + <range><![CDATA[vers:semver>=0.11.0|<1.5.0]]></range> + </version> + </versions> + </target> + </affects> + </vulnerability> + <vulnerability> <id>CVE-2025-54812</id> <source>
