"Fossies" - the Fresh Open Source Software Archive 
Source code changes of the file "src/site/markdown/index.md.vm" between
apache-log4j-2.12.3-src.tar.gz and apache-log4j-2.12.4-src.tar.gz
About: Apache Log4j 2 is a logging library for Java. Source distribution (Java). Caution: Release 2.12.3 is the last 2.x release to support Java 7 (Java 8 users should use 2.17.0 or greater) and have fixed a critical remote code execution vulnerability (CVE-2021-44228).
| index.md.vm (apache-log4j-2.12.3-src) | : | index.md.vm (apache-log4j-2.12.4-src) | ||
|---|---|---|---|---|
| skipping to change at line 29 | skipping to change at line 29 | |||
| #set($h1='#') | #set($h1='#') | |||
| #set($h2='##') | #set($h2='##') | |||
| #set($h3='###') | #set($h3='###') | |||
| #set($h4='####') | #set($h4='####') | |||
| $h1 Apache Log4j 2 | $h1 Apache Log4j 2 | |||
| Apache Log4j 2 is an upgrade to Log4j that provides significant improvements ove r its predecessor, Log4j 1.x, and | Apache Log4j 2 is an upgrade to Log4j that provides significant improvements ove r its predecessor, Log4j 1.x, and | |||
| provides many of the improvements available in Logback while fixing some inheren t problems in Logback's architecture. | provides many of the improvements available in Logback while fixing some inheren t problems in Logback's architecture. | |||
| <a name="CVE-2021-45105"/> | <a name="CVE-2021-44832"/> | |||
| $h2 Important: Security Vulnerability CVE-2021-45105 | $h2 Important: Security Vulnerability CVE-2021-44832 | |||
| The Log4j team has been made aware of a security vulnerability, CVE-2021-45105, | Summary: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker control | |||
| that has been addressed in | s configuration. | |||
| Log4j 2.17.0 for Java 8 and up, and in Log4j 2.12.3 for Java 7. | ||||
| Summary: Apache Log4j2 does not always protect from infinite recursion in lookup | ||||
| evaluation. | ||||
| $h4 Details | $h4 Details | |||
| Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontroll | ||||
| ed recursion from self-referential lookups. | ||||
| When the logging configuration uses a non-default Pattern Layout with a Context | ||||
| Lookup (for example, ``${dollar}${dollar}{ctx:loginId}``), | ||||
| attackers with control over Thread Context Map (MDC) input data can craft malici | ||||
| ous input data that contains a recursive lookup, | ||||
| resulting in a StackOverflowError that will terminate the process. This is also | ||||
| known as a DOS (Denial of Service) attack. | ||||
| $h4 Mitigation | ||||
| From version 2.17.0 (for Java 8) and 2.12.3 (for Java 7), only lookup strings in | ||||
| configuration are expanded recursively; | ||||
| in any other usage, only the top-level lookup is resolved, and any nested lookup | ||||
| s are not resolved. | ||||
| In prior releases this issue can be mitigated by ensuring your logging configura | ||||
| tion does the following: | ||||
| * In PatternLayout in the logging configuration, replace Context Lookups like `$ | ||||
| {dollar}{ctx:loginId}`or `${dollar}${dollar}{ctx:loginId}` with Thread Context M | ||||
| ap patterns (%X, %mdc, or %MDC). | ||||
| * Otherwise, in the configuration, remove references to Context Lookups like `${ | ||||
| dollar}{ctx:loginId}` or `${dollar}${dollar}{ctx:loginId}` where they originate | ||||
| from sources external to the application such as HTTP headers or user input. | ||||
| $h4 Reference | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases | |||
| Please refer to the [Security page](https://logging.apache.org/log4j/2.x/securit | 2.3.2 and 2.12.4) are vulnerable to | |||
| y.html#CVE-2021-45105) for details and mitigation measures for older versions of | a remote code execution (RCE) attack where an attacker with permission to modify | |||
| Log4j. | the logging configuration file can | |||
| construct a malicious configuration using a JDBC Appender with a data source ref | ||||
| <a name="CVE-2021-45046"/> | erencing a JNDI URI which can execute | |||
| $h2 Important: Security Vulnerability CVE-2021-45046 | remote code. This issue is fixed by limiting JNDI data source names to the java | |||
| protocol in Log4j2 versions 2.17.1, | ||||
| The Log4j team has been made aware of a security vulnerability, CVE-2021-45046, | 2.12.4, and 2.3.2. | |||
| that has been addressed in | ||||
| Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8 and up. | ||||
| Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code e | ||||
| xecution in certain non-default configurations. | ||||
| $h4 Details | ||||
| It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was i | ||||
| ncomplete in certain non-default configurations. | ||||
| When the logging configuration uses a non-default Pattern Layout with a Context | ||||
| Lookup (for example, ``${dollar}${dollar}{ctx:loginId}``), | ||||
| attackers with control over Thread Context Map (MDC) input data can craft malici | ||||
| ous input data using a JNDI Lookup pattern, | ||||
| resulting in an information leak and remote code execution in some environments | ||||
| and local code execution in all environments; | ||||
| remote code execution has been demonstrated on macOS but no other tested environ | ||||
| ments. | ||||
| Note that previous mitigations involving configuration such as setting the syste | ||||
| m property `log4j2.formatMsgNoLookups` | ||||
| to `true` do NOT mitigate this specific vulnerability. | ||||
| $h4 Mitigation | $h4 Mitigation | |||
| In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. | Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 | |||
| Usage of JNDI in configuration now needs to be enabled explicitly. | and later) | |||
| Calls to the JndiLookup will now return a constant string. | ||||
| Also, Log4j now limits the protocols by default to only java. | ||||
| The message lookups feature has been completely removed. Lookups in configuratio | ||||
| n still work. | ||||
| From version 2.16.0 (for Java 8), the message lookups feature has been completel | ||||
| y removed. | ||||
| Lookups in configuration still work. | ||||
| Furthermore, Log4j now disables access to JNDI by default. | ||||
| Users are advised not to enable JNDI in Log4j 2.16.0. | ||||
| If the JMS Appender is required, use Log4j 2.12.2. | ||||
| $h4 Reference | $h4 Reference | |||
| Please refer to the [Security page](https://logging.apache.org/log4j/2.x/securit | Please refer to the [Security page](https://logging.apache.org/log4j/2.x/securit | |||
| y.html#CVE-2021-45046) for details and mitigation measures for older versions of | y.html#CVE-2021-44832) for details and | |||
| Log4j. | mitigation measures for older versions of Log4j. | |||
| <a name="CVE-2021-44228"/> | ||||
| $h2 Important: Security Vulnerability CVE-2021-44228 | ||||
| The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, | $h2 Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2 | |||
| that has been addressed | 021-44228 | |||
| in Log4j 2.12.2 and Log4j 2.16.0. | ||||
| $h4 Summary | Please refer to the [Security page](https://logging.apache.org/log4j/2.x/securit | |||
| Log4j’s JNDI support has not restricted what names could be resolved. Some proto | y.html) for details and mitigation | |||
| cols are unsafe or can allow remote code | measures for these security issues. | |||
| execution. | ||||
| $h4 Details | ||||
| One vector that allowed exposure to this vulnerability was Log4j’s allowance of | ||||
| Lookups to appear in log messages. | ||||
| This meant that when user input is logged, and that user input contained a JNDI | ||||
| Lookup pointing to a malicious server, | ||||
| then Log4j would resolve that JNDI Lookup, connect to that server, and potential | ||||
| ly download serialized Java code from | ||||
| that remote server. This in turn could execute any code during deserialization. | ||||
| This is known as a RCE (Remote Code Execution) attack. | ||||
| $h4 Mitigation | ||||
| In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. | ||||
| Usage of JNDI in configuration now needs to be enabled explicitly. | ||||
| Calls to the JndiLookup will now return a constant string. | ||||
| Also, Log4j now limits the protocols by default to only java. | ||||
| The message lookups feature has been completely removed. Lookups in configuratio | ||||
| n still work. | ||||
| From version 2.16.0 (for Java 8), the message lookups feature has been completel | ||||
| y removed. | ||||
| Lookups in configuration still work. | ||||
| Furthermore, Log4j now disables access to JNDI by default. | ||||
| Users are advised not to enable JNDI in Log4j 2.16.0. | ||||
| If the JMS Appender is required, use Log4j 2.12.2. | ||||
| $h4 Reference | ||||
| Please refer to the [Security page](https://logging.apache.org/log4j/2.x/securit | ||||
| y.html#CVE-2021-44228) for mitigation measures for older versions of Log4j. | ||||
| $h2 Features | $h2 Features | |||
| $h3 API Separation | $h3 API Separation | |||
| The API for Log4j is separate from the implementation making it clear for applic ation developers which classes and | The API for Log4j is separate from the implementation making it clear for applic ation developers which classes and | |||
| methods they can use while ensuring forward compatibility. This allows the Log4j team to improve the implementation | methods they can use while ensuring forward compatibility. This allows the Log4j team to improve the implementation | |||
| safely and in a compatible manner. | safely and in a compatible manner. | |||
| The Log4j API is a logging facade that may, of course, be used with the Log4j im plementation, but may also be used | The Log4j API is a logging facade that may, of course, be used with the Log4j im plementation, but may also be used | |||
| End of changes. 8 change blocks. | ||||
| 117 lines changed or deleted | 23 lines changed or added | |||