[jira] [Closed] (LOG4J2-3214) Update security page text for CVE-2021-44228

Thu, 16 Dec 2021 00:04:06 -0800 


     [ 
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Remko Popma closed LOG4J2-3214.
-------------------------------
    Resolution: Fixed

> Update security page text for CVE-2021-44228
> --------------------------------------------
>
>                 Key: LOG4J2-3214
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3214
>             Project: Log4j 2
>          Issue Type: Documentation
>    Affects Versions: 2.15.0
>            Reporter: Remko Popma
>            Priority: Major
>             Fix For: 2.16.0
>
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on 
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet 
> point list for improved readability.
> ----
> {*}Log4j 1.x mitigation{*}: Audit your logging configuration to ensure it has 
> no {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender 
> are not impacted by this vulnerability. (Note that there is a separate CVE 
> (CVE-2021-4104) for this vulnerability now.)
> {*}Log4j 2.x mitigation{*}: Implement one of the mitigation techniques below.
>  * Upgrade to release 2.15.0 or later
>  * For releases >= 2.10,
>  ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see 
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
>  ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} 
> (see 
> [https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
>  * For releases >= 2.7 and <= 2.14.1, modify your logging configuration to 
> disable message lookups:
>  ** use {{{}%m{nolookups{}}}} instead of just {{%m}}
>  ** use {{{}%msg{nolookups{}}}} instead of just {{%msg}}
>  ** use {{{}%message{nolookups{}}}} instead of just {{%message}}
>  * For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the 
> {{JndiLookup}} class from the classpath: {{zip \-q \-d log4j\-core\-*.jar 
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}
> The log4j-api JAR file in Log4j2 is not impacted by this vulnerability.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to