[jira] [Commented] (LOG4J2-3214) Update security page text for CVE-2021-44228

Mon, 13 Dec 2021 08:31:40 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458520#comment-17458520
 ] 

Mark J. Cox commented on LOG4J2-3214:
-------------------------------------

Gary, although the CVE was initially allocated from the Red Hat CNA, the text 
we sent to cve.org was written by the ASF and the "owner" of the CVE is being 
transferred to ASF.  It will be visible on cve.org soon.

> Update security page text for CVE-2021-44228
> --------------------------------------------
>
>                 Key: LOG4J2-3214
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3214
>             Project: Log4j 2
>          Issue Type: Documentation
>    Affects Versions: 2.15.0
>            Reporter: Remko Popma
>            Priority: Major
>             Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on 
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet 
> point list for improved readability.
> ----
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has 
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender 
> are not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below.
>  * Upgrade to release 2.15.0 or later
>  * For releases >= 2.10,
>  ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see 
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
>  ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} 
> (see 
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
>  * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to 
> disable message lookups:
>  ** use {{{}%m{nolookups{}}}} instead of just {{%m}}
>  ** use {{{}%msg{nolookups{}}}} instead of just {{%msg}}
>  ** use {{{}%message{nolookups{}}}} instead of just {{%message}}
>  * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the 
> {{JndiLookup}} class from the classpath: {{zip {-}q -d log4j-core{-}*.jar 
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to