"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/site/markdown/index.md.vm" between
apache-log4j-2.12.3-src.tar.gz and apache-log4j-2.12.4-src.tar.gz

About: Apache Log4j 2 is a logging library for Java. Source distribution (Java).
Caution: Release 2.12.3 is the last 2.x release to support Java 7 (Java 8 users should use 2.17.0 or greater) and have fixed a critical remote code execution vulnerability (CVE-2021-44228).

index.md.vm  (apache-log4j-2.12.3-src):index.md.vm  (apache-log4j-2.12.4-src)
skipping to change at line 29 skipping to change at line 29
#set($h1='#') #set($h1='#')
#set($h2='##') #set($h2='##')
#set($h3='###') #set($h3='###')
#set($h4='####') #set($h4='####')
$h1 Apache Log4j 2 $h1 Apache Log4j 2
Apache Log4j 2 is an upgrade to Log4j that provides significant improvements ove r its predecessor, Log4j 1.x, and Apache Log4j 2 is an upgrade to Log4j that provides significant improvements ove r its predecessor, Log4j 1.x, and
provides many of the improvements available in Logback while fixing some inheren t problems in Logback's architecture. provides many of the improvements available in Logback while fixing some inheren t problems in Logback's architecture.
<a name="CVE-2021-45105"/> <a name="CVE-2021-44832"/>
$h2 Important: Security Vulnerability CVE-2021-45105 $h2 Important: Security Vulnerability CVE-2021-44832
The Log4j team has been made aware of a security vulnerability, CVE-2021-45105, Summary: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker control
that has been addressed in s configuration.
Log4j 2.17.0 for Java 8 and up, and in Log4j 2.12.3 for Java 7.
Summary: Apache Log4j2 does not always protect from infinite recursion in lookup
evaluation.
$h4 Details $h4 Details
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontroll
ed recursion from self-referential lookups.
When the logging configuration uses a non-default Pattern Layout with a Context
Lookup (for example, ``${dollar}${dollar}{ctx:loginId}``),
attackers with control over Thread Context Map (MDC) input data can craft malici
ous input data that contains a recursive lookup,
resulting in a StackOverflowError that will terminate the process. This is also
known as a DOS (Denial of Service) attack.
$h4 Mitigation
From version 2.17.0 (for Java 8) and 2.12.3 (for Java 7), only lookup strings in
configuration are expanded recursively;
in any other usage, only the top-level lookup is resolved, and any nested lookup
s are not resolved.
In prior releases this issue can be mitigated by ensuring your logging configura
tion does the following:
* In PatternLayout in the logging configuration, replace Context Lookups like `$
{dollar}{ctx:loginId}`or `${dollar}${dollar}{ctx:loginId}` with Thread Context M
ap patterns (%X, %mdc, or %MDC).
* Otherwise, in the configuration, remove references to Context Lookups like `${
dollar}{ctx:loginId}` or `${dollar}${dollar}{ctx:loginId}` where they originate
from sources external to the application such as HTTP headers or user input.
$h4 Reference Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases
Please refer to the [Security page](https://logging.apache.org/log4j/2.x/securit 2.3.2 and 2.12.4) are vulnerable to
y.html#CVE-2021-45105) for details and mitigation measures for older versions of a remote code execution (RCE) attack where an attacker with permission to modify
Log4j. the logging configuration file can
construct a malicious configuration using a JDBC Appender with a data source ref
<a name="CVE-2021-45046"/> erencing a JNDI URI which can execute
$h2 Important: Security Vulnerability CVE-2021-45046 remote code. This issue is fixed by limiting JNDI data source names to the java
protocol in Log4j2 versions 2.17.1,
The Log4j team has been made aware of a security vulnerability, CVE-2021-45046, 2.12.4, and 2.3.2.
that has been addressed in
Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8 and up.
Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code e
xecution in certain non-default configurations.
$h4 Details
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was i
ncomplete in certain non-default configurations.
When the logging configuration uses a non-default Pattern Layout with a Context
Lookup (for example, ``${dollar}${dollar}{ctx:loginId}``),
attackers with control over Thread Context Map (MDC) input data can craft malici
ous input data using a JNDI Lookup pattern,
resulting in an information leak and remote code execution in some environments
and local code execution in all environments;
remote code execution has been demonstrated on macOS but no other tested environ
ments.
Note that previous mitigations involving configuration such as setting the syste
m property `log4j2.formatMsgNoLookups`
to `true` do NOT mitigate this specific vulnerability.
$h4 Mitigation $h4 Mitigation
In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8
Usage of JNDI in configuration now needs to be enabled explicitly. and later)
Calls to the JndiLookup will now return a constant string.
Also, Log4j now limits the protocols by default to only java.
The message lookups feature has been completely removed. Lookups in configuratio
n still work.
From version 2.16.0 (for Java 8), the message lookups feature has been completel
y removed.
Lookups in configuration still work.
Furthermore, Log4j now disables access to JNDI by default.
Users are advised not to enable JNDI in Log4j 2.16.0.
If the JMS Appender is required, use Log4j 2.12.2.
$h4 Reference $h4 Reference
Please refer to the [Security page](https://logging.apache.org/log4j/2.x/securit Please refer to the [Security page](https://logging.apache.org/log4j/2.x/securit
y.html#CVE-2021-45046) for details and mitigation measures for older versions of y.html#CVE-2021-44832) for details and
Log4j. mitigation measures for older versions of Log4j.
<a name="CVE-2021-44228"/>
$h2 Important: Security Vulnerability CVE-2021-44228
The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, $h2 Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2
that has been addressed 021-44228
in Log4j 2.12.2 and Log4j 2.16.0.
$h4 Summary Please refer to the [Security page](https://logging.apache.org/log4j/2.x/securit
Log4j’s JNDI support has not restricted what names could be resolved. Some proto y.html) for details and mitigation
cols are unsafe or can allow remote code measures for these security issues.
execution.
$h4 Details
One vector that allowed exposure to this vulnerability was Log4j’s allowance of
Lookups to appear in log messages.
This meant that when user input is logged, and that user input contained a JNDI
Lookup pointing to a malicious server,
then Log4j would resolve that JNDI Lookup, connect to that server, and potential
ly download serialized Java code from
that remote server. This in turn could execute any code during deserialization.
This is known as a RCE (Remote Code Execution) attack.
$h4 Mitigation
In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default.
Usage of JNDI in configuration now needs to be enabled explicitly.
Calls to the JndiLookup will now return a constant string.
Also, Log4j now limits the protocols by default to only java.
The message lookups feature has been completely removed. Lookups in configuratio
n still work.
From version 2.16.0 (for Java 8), the message lookups feature has been completel
y removed.
Lookups in configuration still work.
Furthermore, Log4j now disables access to JNDI by default.
Users are advised not to enable JNDI in Log4j 2.16.0.
If the JMS Appender is required, use Log4j 2.12.2.
$h4 Reference
Please refer to the [Security page](https://logging.apache.org/log4j/2.x/securit
y.html#CVE-2021-44228) for mitigation measures for older versions of Log4j.
$h2 Features $h2 Features
$h3 API Separation $h3 API Separation
The API for Log4j is separate from the implementation making it clear for applic ation developers which classes and The API for Log4j is separate from the implementation making it clear for applic ation developers which classes and
methods they can use while ensuring forward compatibility. This allows the Log4j team to improve the implementation methods they can use while ensuring forward compatibility. This allows the Log4j team to improve the implementation
safely and in a compatible manner. safely and in a compatible manner.
The Log4j API is a logging facade that may, of course, be used with the Log4j im plementation, but may also be used The Log4j API is a logging facade that may, of course, be used with the Log4j im plementation, but may also be used
 End of changes. 8 change blocks. 
117 lines changed or deleted 23 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)