This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/master by this push:
new 68434b2 [DOCUMENTATION] Mention Log4Shell on James security page
(#864)
68434b2 is described below
commit 68434b2ed5f189aa234b6ca5489d9244de653522
Author: Benoit TELLIER <[email protected]>
AuthorDate: Mon Jan 31 10:09:07 2022 +0700
[DOCUMENTATION] Mention Log4Shell on James security page (#864)
---
src/site/xdoc/server/feature-security.xml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/site/xdoc/server/feature-security.xml
b/src/site/xdoc/server/feature-security.xml
index 2dd430d..3d88c75 100644
--- a/src/site/xdoc/server/feature-security.xml
+++ b/src/site/xdoc/server/feature-security.xml
@@ -53,6 +53,16 @@
We follow the standard procedures within the ASF regarding
<a
href="https://apache.org/security/committers.html#vulnerability-handling";>vulnerability
handling</a>.
</subsection>
+ <subsection name="CVE-2021-44228: Log4Shell">
+ <p>Apache James Spring distribution prior to release 3.6.1 is
vulnerable to attacks leveraging Log4Shell.
+ This can be leveraged to conduct remote code execution with only
SMTP access.</p>
+
+ <p><b>Severity</b>: High</p>
+
+ <p><b>Mitigation</b>: We recommend to upgrade to Apache James
3.6.1 or higher, which fixes this vulnerability.</p>
+
+ <p>Note: Guice distributions are not affected.</p>
+ </subsection>
<subsection name="CVE-2021-38542: Apache James vulnerable to STARTTLS
command injection (IMAP and POP3)">
<p>Apache James prior to release 3.6.1 is vulnerable to a
buffering attack relying on the use of the STARTTLS
command. This can result in Man-in -the-middle command
injection attacks, leading potentially to leakage
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
