2.13.2/security.html - logging-log4j-site - Git at Google

 <!DOCTYPE html>
 <!--
  | Generated by Apache Maven Doxia Site Renderer 1.9.1 from src/site/markdown/security.md at 2020-04-25
  | Rendered using Apache Maven Fluido Skin 1.8
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <meta name="generator" content="Apache Maven Doxia Site Renderer 1.9.1" />
     <title>Log4j &#x2013; Apache Log4j Security Vulnerabilities</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.8.min.css" />
     <link rel="stylesheet" href="./css/site.css" />
     <link rel="stylesheet" href="./css/print.css" media="print" />
     <script src="./js/apache-maven-fluido-1.8.min.js"></script>
   </head>
   <body class="topBarDisabled">
     <div class="container-fluid">
       <header>
         <div id="banner">
           <div class="pull-left"><a href="http://logging.apache.org" id="bannerLeft"><img src="images/ls-logo.jpg"  alt=""/></a></div>
           <div class="pull-right"><a href="http://logging.apache.org/log4j/2.x" id="bannerRight"><img src="images/logo.png"  alt=""/></a></div>
           <div class="clear"><hr/></div>
         </div>

         <div id="breadcrumbs">
           <ul class="breadcrumb">
         <li id="publishDate">Last Published: 2020-04-25<span class="divider">|</span>
 </li>
           <li id="projectVersion">Version: 2.13.2</li>
       <li class="pull-right"><span class="divider">|</span>
 <a href="https://github.com/apache/logging-log4j2" class="externalLink" title="GitHub">GitHub</a></li>
       <li class="pull-right"><span class="divider">|</span>
 <a href="https://analysis.apache.org/dashboard/index/org.apache.logging.log4j:log4j" class="externalLink" title="Sonar">Sonar</a></li>
       <li class="pull-right"><span class="divider">|</span>
 <a href="../../" title="Logging Services">Logging Services</a></li>
       <li class="pull-right"><span class="divider">|</span>
 <a href="https://www.apache.org/" class="externalLink" title="Apache">Apache</a></li>
       <li class="pull-right"><a href="https://cwiki.apache.org/confluence/display/LOGGING/Log4j" class="externalLink" title="Logging Wiki">Logging Wiki</a></li>
           </ul>
         </div>
       </header>
       <div class="row-fluid">
         <header id="leftColumn" class="span2">
           <nav class="well sidebar-nav">
   <ul class="nav nav-list">
    <li class="nav-header"><img class="imageLink" src="img/glyphicons/home.png" alt="Apache Log4j™ 2" border="0"/> Apache Log4j™ 2</li>
     <li><a href="index.html" title="About"><span class="none"></span>About</a></li>
     <li><a href="download.html" title="Download"><span class="none"></span>Download</a></li>
     <li><a href="javadoc.html" title="Javadoc"><span class="icon-chevron-right"></span>Javadoc</a></li>
     <li><a href="maven-artifacts.html" title="Maven, Ivy, Gradle Artifacts"><span class="icon-chevron-right"></span>Maven, Ivy, Gradle Artifacts</a></li>
     <li><a href="runtime-dependencies.html" title="Runtime Dependencies"><span class="none"></span>Runtime Dependencies</a></li>
     <li><a href="changelog.html" title="Changelog"><span class="none"></span>Changelog</a></li>
     <li><a href="faq.html" title="FAQ"><span class="none"></span>FAQ</a></li>
     <li><a href="performance.html" title="Performance"><span class="icon-chevron-right"></span>Performance</a></li>
     <li><a href="articles.html" title="Articles and Tutorials"><span class="none"></span>Articles and Tutorials</a></li>
     <li class="active"><a href="#"><span class="none"></span>Security</a></li>
     <li><a href="support.html" title="Support"><span class="none"></span>Support</a></li>
     <li><a href="thanks.html" title="Thanks"><span class="none"></span>Thanks</a></li>
    <li class="nav-header"><img class="imageLink" src="img/glyphicons/pencil.png" alt="For Contributors" border="0"/> For Contributors</li>
     <li><a href="build.html" title="Building Log4j from Source"><span class="none"></span>Building Log4j from Source</a></li>
     <li><a href="guidelines.html" title="Guidelines"><span class="none"></span>Guidelines</a></li>
     <li><a href="javastyle.html" title="Style Guide"><span class="none"></span>Style Guide</a></li>
    <li class="nav-header"><img class="imageLink" src="img/glyphicons/book.png" alt="Manual" border="0"/> Manual</li>
     <li><a href="manual/index.html" title="Introduction"><span class="none"></span>Introduction</a></li>
     <li><a href="manual/architecture.html" title="Architecture"><span class="none"></span>Architecture</a></li>
     <li><a href="manual/compatibility.html" title="Log4j 1.x Compatibility"><span class="none"></span>Log4j 1.x Compatibility</a></li>
     <li><a href="manual/migration.html" title="Log4j 1.x Migration"><span class="none"></span>Log4j 1.x Migration</a></li>
     <li><a href="manual/api.html" title="Java API"><span class="icon-chevron-right"></span>Java API</a></li>
     <li><a href="manual/scala-api.html" title="Scala API"><span class="none"></span>Scala API</a></li>
     <li><a href="manual/configuration.html" title="Configuration"><span class="icon-chevron-right"></span>Configuration</a></li>
     <li><a href="manual/usage.html" title="Usage"><span class="icon-chevron-right"></span>Usage</a></li>
     <li><a href="manual/webapp.html" title="Web Applications and JSPs"><span class="icon-chevron-right"></span>Web Applications and JSPs</a></li>
     <li><a href="manual/lookups.html" title="Lookups"><span class="icon-chevron-right"></span>Lookups</a></li>
     <li><a href="manual/appenders.html" title="Appenders"><span class="icon-chevron-right"></span>Appenders</a></li>
     <li><a href="manual/layouts.html" title="Layouts"><span class="icon-chevron-right"></span>Layouts</a></li>
     <li><a href="manual/filters.html" title="Filters"><span class="icon-chevron-right"></span>Filters</a></li>
     <li><a href="manual/async.html" title="Async Loggers"><span class="icon-chevron-right"></span>Async Loggers</a></li>
     <li><a href="manual/garbagefree.html" title="Garbage-free Logging"><span class="icon-chevron-right"></span>Garbage-free Logging</a></li>
     <li><a href="manual/jmx.html" title="JMX"><span class="none"></span>JMX</a></li>
     <li><a href="manual/logsep.html" title="Logging Separation"><span class="none"></span>Logging Separation</a></li>
     <li><a href="manual/extending.html" title="Extending Log4j"><span class="icon-chevron-right"></span>Extending Log4j</a></li>
     <li><a href="manual/plugins.html" title="Plugins"><span class="icon-chevron-right"></span>Plugins</a></li>
     <li><a href="manual/customconfig.html" title="Programmatic Log4j Configuration"><span class="icon-chevron-right"></span>Programmatic Log4j Configuration</a></li>
     <li><a href="manual/customloglevels.html" title="Custom Log Levels"><span class="icon-chevron-right"></span>Custom Log Levels</a></li>
    <li class="nav-header"><img class="imageLink" src="img/glyphicons/tag.png" alt="Related Projects" border="0"/> Related Projects</li>
     <li><a href="http://logging.apache.org/log4j/scala/index.html" class="externalLink" title="Log4j-Scala"><span class="none"></span>Log4j-Scala</a></li>
    <li class="nav-header"><img class="imageLink" src="img/glyphicons/link.png" alt="Legacy Sites" border="0"/> Legacy Sites</li>
     <li><a href="http://logging.apache.org/log4j/1.2/" class="externalLink" title="Log4j 1.2 - End of Life"><span class="none"></span>Log4j 1.2 - End of Life</a></li>
     <li><a href="http://logging.apache.org/log4j/log4j-2.3/" class="externalLink" title="Log4j 2.3 - Java 6"><span class="none"></span>Log4j 2.3 - Java 6</a></li>
     <li><a href="http://logging.apache.org/log4j/log4j-2.12.1" class="externalLink" title="Log4j 2.12.1 - Java 7"><span class="none"></span>Log4j 2.12.1 - Java 7</a></li>
    <li class="nav-header"><img class="imageLink" src="img/glyphicons/cog.png" alt="Components" border="0"/> Components</li>
     <li><a href="log4j-api/index.html" title="API"><span class="none"></span>API</a></li>
     <li><a href="log4j-core/index.html" title="Implementation"><span class="none"></span>Implementation</a></li>
     <li><a href="log4j-jcl/index.html" title="Commons Logging Bridge"><span class="none"></span>Commons Logging Bridge</a></li>
     <li><a href="log4j-1.2-api/index.html" title="Log4j 1.2 API"><span class="none"></span>Log4j 1.2 API</a></li>
     <li><a href="log4j-slf4j-impl/index.html" title="SLF4J Binding"><span class="none"></span>SLF4J Binding</a></li>
     <li><a href="log4j-jul/index.html" title="JUL Adapter"><span class="none"></span>JUL Adapter</a></li>
     <li><a href="log4j-jpl/index.html" title="JDK Platform Logger"><span class="none"></span>JDK Platform Logger</a></li>
     <li><a href="log4j-to-slf4j/index.html" title="Log4j 2 to SLF4J Adapter"><span class="none"></span>Log4j 2 to SLF4J Adapter</a></li>
     <li><a href="log4j-flume-ng/index.html" title="Apache Flume Appender"><span class="none"></span>Apache Flume Appender</a></li>
     <li><a href="log4j-taglib/index.html" title="Log4j Tag Library"><span class="none"></span>Log4j Tag Library</a></li>
     <li><a href="log4j-jmx-gui/index.html" title="Log4j JMX GUI"><span class="none"></span>Log4j JMX GUI</a></li>
     <li><a href="log4j-web/index.html" title="Log4j Web Application Support"><span class="none"></span>Log4j Web Application Support</a></li>
     <li><a href="log4j-appserver/index.html" title="Log4j Application Server Integration"><span class="none"></span>Log4j Application Server Integration</a></li>
     <li><a href="log4j-couchdb/index.html" title="Log4j CouchDB appender"><span class="none"></span>Log4j CouchDB appender</a></li>
     <li><a href="log4j-mongodb2/index.html" title="Log4j MongoDB2 appender"><span class="none"></span>Log4j MongoDB2 appender</a></li>
     <li><a href="log4j-mongodb3/index.html" title="Log4j MongoDB3 appender"><span class="none"></span>Log4j MongoDB3 appender</a></li>
     <li><a href="log4j-cassandra/index.html" title="Log4j Cassandra appender"><span class="none"></span>Log4j Cassandra appender</a></li>
     <li><a href="log4j-iostreams/index.html" title="Log4j IO Streams"><span class="none"></span>Log4j IO Streams</a></li>
     <li><a href="log4j-liquibase/index.html" title="Log4j Liquibase Binding"><span class="none"></span>Log4j Liquibase Binding</a></li>
     <li><a href="log4j-docker/index.html" title="Log4j Docker Support"><span class="none"></span>Log4j Docker Support</a></li>
     <li><a href="log4j-spring-cloud-config/log4j-spring-cloud-config-client/index.html" title="Log4j Spring Cloud Config Client"><span class="none"></span>Log4j Spring Cloud Config Client</a></li>
    <li class="nav-header"><img class="imageLink" src="img/glyphicons/info.png" alt="Project Information" border="0"/> Project Information</li>
     <li><a href="dependency-convergence.html" title="Dependency Convergence"><span class="none"></span>Dependency Convergence</a></li>
     <li><a href="dependency-management.html" title="Dependency Management"><span class="none"></span>Dependency Management</a></li>
     <li><a href="team-list.html" title="Project Team"><span class="none"></span>Project Team</a></li>
     <li><a href="mail-lists.html" title="Mailing Lists"><span class="none"></span>Mailing Lists</a></li>
     <li><a href="issue-tracking.html" title="Issue Tracking"><span class="none"></span>Issue Tracking</a></li>
     <li><a href="license.html" title="Project License"><span class="none"></span>Project License</a></li>
     <li><a href="source-repository.html" title="Source Repository"><span class="none"></span>Source Repository</a></li>
     <li><a href="project-summary.html" title="Project Summary"><span class="none"></span>Project Summary</a></li>
    <li class="nav-header"><img class="imageLink" src="img/glyphicons/layers.png" alt="Project Reports" border="0"/> Project Reports</li>
     <li><a href="changes-report.html" title="Changes Report"><span class="none"></span>Changes Report</a></li>
     <li><a href="jira-report.html" title="JIRA Report"><span class="none"></span>JIRA Report</a></li>
     <li><a href="rat-report.html" title="RAT Report"><span class="none"></span>RAT Report</a></li>
   </ul>
           </nav>
           <div class="well sidebar-nav">
             <hr />
             <div id="poweredBy">
               <div class="clear"></div>
               <div class="clear"></div>
               <div class="clear"></div>
 <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" /></a>
             </div>
           </div>
         </header>
         <main id="bodyColumn"  class="span10" >
 <!-- vim: set syn=markdown : -->
 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements. See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License. You may obtain a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
 -->
 <h1>Apache Log4j Security Vulnerabilities</h1>
 <p>This page lists all the security vulnerabilities fixed in released versions of Apache Log4j 2. Each vulnerability is given a <a href="#Summary_of_security_impact_levels_for_Apache_Log4j">security impact rating</a> by the <a class="externalLink" href="mailto:private@logging.apache.org">Apache Logging security team</a>. please note that this rating may vary from platform to platform. We also list the versions of Apache Log4j the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.</p>
 <p>Note: Vulnerabilities that are not Log4j vulnerabilities but have either been incorrectly reported against Log4j or where Log4j provides a workaround are listed at the end of this page.</p>
 <p>Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.</p>
 <p>Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Apache Log4j version that you are using. For Log4j 2 this is BUILDING.md. This file can be found in the root subdirectory of a source distributive.</p>
 <p>If you need help on building or configuring Log4j or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Log4j Users mailing list</p>
 <p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the <a class="externalLink" href="mailto:private@logging.apache.org">Log4j Security Team</a>. Thank you.</p><section><section>
 <h3><a name="Fixed_in_Log4j_2.13.2"></a>Fixed in Log4j 2.13.2</h3>
 <p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488">CVE-2020-9488</a>:  Improper validation of certificate with host mismatch in Apache Log4j SMTP appender.</p>
 <p>Severity: Low</p>
 <p>CVSS Base Score: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</p>
 <p>Versions Affected: all versions from 2.0-alpha1 to 2.13.1</p>
 <p>Descripton: Improper validation of certificate with host mismatch in Log4j2 SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.</p>
 <p>The reported issue was caused by an error in SslConfiguration. Any element using SslConfiguration in the Log4j Configuration is also affected by this issue. This includes HttpAppender, SocketAppender, and SyslogAppender. Usages of SslConfiguration that are configured via system properties are not affected.</p>
 <p>Mitigation: Users should upgrade to Apache Log4j 2.13.2 which fixed this issue in LOG4J2-2819 by making SSL settings configurable for SMTPS mail sessions. As a workaround for previous releases, users can set the mail.smtp.ssl.checkserveridentity system property to true to enable SMTPS hostname verification for all SMTPS mail sessions.</p>
 <p>Credit: This issues was discovered by Peter St&#xf6;ckli.</p>
 <p>References: <a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-2819">https://issues.apache.org/jira/browse/LOG4J2-2819</a></p></section><section>
 <h3><a name="Fixed_in_Log4j_2.8.2"></a>Fixed in Log4j 2.8.2</h3>
 <p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645">CVE-2017-5645</a>: Apache Log4j socket receiver deserialization vulnerability.</p>
 <p>Severity: Moderate</p>
 <p>CVSS Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)</p>
 <p>Versions Affected: all versions from 2.0-alpha1 to 2.8.1</p>
 <p>Description: When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.</p>
 <p>Mitigation: Java 7+ users should migrate to version 2.8.2 or avoid using the socket server classes. Java 6 users should avoid using the TCP or UDP socket server classes, or they can manually backport the security fix from 2.8.2: <a class="externalLink" href="https://github.com/apache/logging-log4j2/commit/5dcc192">https://github.com/apache/logging-log4j2/commit/5dcc192</a></p>
 <p>Credit: This issue was discovered by Marcio Almeida de Macedo of Red Team at Telstra</p>
 <p>References: <a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-1863">https://issues.apache.org/jira/browse/LOG4J2-1863</a></p></section></section><section>
 <h2><a name="Summary_of_security_impact_levels_for_Apache_Log4j"></a>Summary of security impact levels for Apache Log4j</h2>
 <p>The Apache Log4j Security Team rates the impact of each security flaw that affects Log4j. We&#x2019;ve chosen a rating scale quite similar to those used by other major vendors in order to be consistent. Basically the goal of the rating system is to answer the question &#x201c;How worried should I be about this vulnerability?&#x201d;.</p>
 <p>Note that the rating chosen for each flaw is the worst possible case across all architectures. To determine the exact impact of a particular vulnerability on your own systems you will still need to read the security advisories to find out more about the flaw.</p>
 <p>We use the following descriptions to decide on the impact rating to give each vulnerability:</p><section>
 <h3><a name="Critical"></a>Critical</h3>
 <p>A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root). These are the sorts of vulnerabilities that could be exploited automatically by worms.</p></section><section>
 <h3><a name="Important"></a>Important</h3>
 <p>A vulnerability rated as Important impact is one which could result in the compromise of data or availability of the server. For Log4j this includes issues that allow an easy remote denial of service (something that is out of proportion to the attack or with a lasting consequence), access to arbitrary files outside of the context root, or access to files that should be otherwise prevented by limits or authentication.</p></section><section>
 <h3><a name="Moderate"></a>Moderate</h3>
 <p>A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the issue less of an impact. This might be because the flaw does not affect likely configurations, or it is a configuration that isn&#x2019;t widely used.</p></section><section>
 <h3><a name="Low"></a>Low</h3>
 <p>All other security flaws are classed as a Low impact. This rating is used for issues that are believed to be extremely hard to exploit, or where an exploit gives minimal consequences.</p></section></section>
         </main>
       </div>
     </div>
     <hr/>
     <footer>
       <div class="container-fluid">
         <div class="row-fluid">
 <p align="center">Copyright &copy; 1999-2020 <a class="external" href="http://www.apache.org">The Apache Software Foundation</a>. All Rights Reserved.<br>
       Apache Logging, Apache Log4j, Log4j, Apache, the Apache feather logo, and the Apache Logging project logo are trademarks of The Apache Software Foundation.</p>
         </div>
       </div>
     </footer>
   </body>
 </html>
	<!DOCTYPE html>
	<!--
	\| Generated by Apache Maven Doxia Site Renderer 1.9.1 from src/site/markdown/security.md at 2020-04-25
	\| Rendered using Apache Maven Fluido Skin 1.8
	-->
	<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
	<head>
	<meta charset="UTF-8" />
	<meta name="viewport" content="width=device-width, initial-scale=1" />
	<meta name="generator" content="Apache Maven Doxia Site Renderer 1.9.1" />
	<title>Log4j – Apache Log4j Security Vulnerabilities</title>
	<link rel="stylesheet" href="./css/apache-maven-fluido-1.8.min.css" />
	<link rel="stylesheet" href="./css/site.css" />
	<link rel="stylesheet" href="./css/print.css" media="print" />
	<script src="./js/apache-maven-fluido-1.8.min.js"></script>
	</head>
	<body class="topBarDisabled">
	<div class="container-fluid">
	<header>
	<div id="banner">
	<div class="pull-left"><a href="http://logging.apache.org" id="bannerLeft"><img src="images/ls-logo.jpg" alt=""/></a></div>
	<div class="pull-right"><a href="http://logging.apache.org/log4j/2.x" id="bannerRight"><img src="images/logo.png" alt=""/></a></div>
	<div class="clear"><hr/></div>
	</div>

	<div id="breadcrumbs">
	<ul class="breadcrumb">
	<li id="publishDate">Last Published: 2020-04-25<span class="divider">\|</span>
	</li>
	<li id="projectVersion">Version: 2.13.2</li>
	<li class="pull-right"><span class="divider">\|</span>
	<a href="https://github.com/apache/logging-log4j2" class="externalLink" title="GitHub">GitHub</a></li>
	<li class="pull-right"><span class="divider">\|</span>
	<a href="https://analysis.apache.org/dashboard/index/org.apache.logging.log4j:log4j" class="externalLink" title="Sonar">Sonar</a></li>
	<li class="pull-right"><span class="divider">\|</span>
	<a href="../../" title="Logging Services">Logging Services</a></li>
	<li class="pull-right"><span class="divider">\|</span>
	<a href="https://www.apache.org/" class="externalLink" title="Apache">Apache</a></li>
	<li class="pull-right"><a href="https://cwiki.apache.org/confluence/display/LOGGING/Log4j" class="externalLink" title="Logging Wiki">Logging Wiki</a></li>
	</ul>
	</div>
	</header>
	<div class="row-fluid">
	<header id="leftColumn" class="span2">
	<nav class="well sidebar-nav">
	<ul class="nav nav-list">
	<li class="nav-header"><img class="imageLink" src="img/glyphicons/home.png" alt="Apache Log4j™ 2" border="0"/> Apache Log4j™ 2</li>
	<li><a href="index.html" title="About"><span class="none"></span>About</a></li>
	<li><a href="download.html" title="Download"><span class="none"></span>Download</a></li>
	<li><a href="javadoc.html" title="Javadoc"><span class="icon-chevron-right"></span>Javadoc</a></li>
	<li><a href="maven-artifacts.html" title="Maven, Ivy, Gradle Artifacts"><span class="icon-chevron-right"></span>Maven, Ivy, Gradle Artifacts</a></li>
	<li><a href="runtime-dependencies.html" title="Runtime Dependencies"><span class="none"></span>Runtime Dependencies</a></li>
	<li><a href="changelog.html" title="Changelog"><span class="none"></span>Changelog</a></li>
	<li><a href="faq.html" title="FAQ"><span class="none"></span>FAQ</a></li>
	<li><a href="performance.html" title="Performance"><span class="icon-chevron-right"></span>Performance</a></li>
	<li><a href="articles.html" title="Articles and Tutorials"><span class="none"></span>Articles and Tutorials</a></li>
	<li class="active"><a href="#"><span class="none"></span>Security</a></li>
	<li><a href="support.html" title="Support"><span class="none"></span>Support</a></li>
	<li><a href="thanks.html" title="Thanks"><span class="none"></span>Thanks</a></li>
	<li class="nav-header"><img class="imageLink" src="img/glyphicons/pencil.png" alt="For Contributors" border="0"/> For Contributors</li>
	<li><a href="build.html" title="Building Log4j from Source"><span class="none"></span>Building Log4j from Source</a></li>
	<li><a href="guidelines.html" title="Guidelines"><span class="none"></span>Guidelines</a></li>
	<li><a href="javastyle.html" title="Style Guide"><span class="none"></span>Style Guide</a></li>
	<li class="nav-header"><img class="imageLink" src="img/glyphicons/book.png" alt="Manual" border="0"/> Manual</li>
	<li><a href="manual/index.html" title="Introduction"><span class="none"></span>Introduction</a></li>
	<li><a href="manual/architecture.html" title="Architecture"><span class="none"></span>Architecture</a></li>
	<li><a href="manual/compatibility.html" title="Log4j 1.x Compatibility"><span class="none"></span>Log4j 1.x Compatibility</a></li>
	<li><a href="manual/migration.html" title="Log4j 1.x Migration"><span class="none"></span>Log4j 1.x Migration</a></li>
	<li><a href="manual/api.html" title="Java API"><span class="icon-chevron-right"></span>Java API</a></li>
	<li><a href="manual/scala-api.html" title="Scala API"><span class="none"></span>Scala API</a></li>
	<li><a href="manual/configuration.html" title="Configuration"><span class="icon-chevron-right"></span>Configuration</a></li>
	<li><a href="manual/usage.html" title="Usage"><span class="icon-chevron-right"></span>Usage</a></li>
	<li><a href="manual/webapp.html" title="Web Applications and JSPs"><span class="icon-chevron-right"></span>Web Applications and JSPs</a></li>
	<li><a href="manual/lookups.html" title="Lookups"><span class="icon-chevron-right"></span>Lookups</a></li>
	<li><a href="manual/appenders.html" title="Appenders"><span class="icon-chevron-right"></span>Appenders</a></li>
	<li><a href="manual/layouts.html" title="Layouts"><span class="icon-chevron-right"></span>Layouts</a></li>
	<li><a href="manual/filters.html" title="Filters"><span class="icon-chevron-right"></span>Filters</a></li>
	<li><a href="manual/async.html" title="Async Loggers"><span class="icon-chevron-right"></span>Async Loggers</a></li>
	<li><a href="manual/garbagefree.html" title="Garbage-free Logging"><span class="icon-chevron-right"></span>Garbage-free Logging</a></li>
	<li><a href="manual/jmx.html" title="JMX"><span class="none"></span>JMX</a></li>
	<li><a href="manual/logsep.html" title="Logging Separation"><span class="none"></span>Logging Separation</a></li>
	<li><a href="manual/extending.html" title="Extending Log4j"><span class="icon-chevron-right"></span>Extending Log4j</a></li>
	<li><a href="manual/plugins.html" title="Plugins"><span class="icon-chevron-right"></span>Plugins</a></li>
	<li><a href="manual/customconfig.html" title="Programmatic Log4j Configuration"><span class="icon-chevron-right"></span>Programmatic Log4j Configuration</a></li>
	<li><a href="manual/customloglevels.html" title="Custom Log Levels"><span class="icon-chevron-right"></span>Custom Log Levels</a></li>
	<li class="nav-header"><img class="imageLink" src="img/glyphicons/tag.png" alt="Related Projects" border="0"/> Related Projects</li>
	<li><a href="http://logging.apache.org/log4j/scala/index.html" class="externalLink" title="Log4j-Scala"><span class="none"></span>Log4j-Scala</a></li>
	<li class="nav-header"><img class="imageLink" src="img/glyphicons/link.png" alt="Legacy Sites" border="0"/> Legacy Sites</li>
	<li><a href="http://logging.apache.org/log4j/1.2/" class="externalLink" title="Log4j 1.2 - End of Life"><span class="none"></span>Log4j 1.2 - End of Life</a></li>
	<li><a href="http://logging.apache.org/log4j/log4j-2.3/" class="externalLink" title="Log4j 2.3 - Java 6"><span class="none"></span>Log4j 2.3 - Java 6</a></li>
	<li><a href="http://logging.apache.org/log4j/log4j-2.12.1" class="externalLink" title="Log4j 2.12.1 - Java 7"><span class="none"></span>Log4j 2.12.1 - Java 7</a></li>
	<li class="nav-header"><img class="imageLink" src="img/glyphicons/cog.png" alt="Components" border="0"/> Components</li>
	<li><a href="log4j-api/index.html" title="API"><span class="none"></span>API</a></li>
	<li><a href="log4j-core/index.html" title="Implementation"><span class="none"></span>Implementation</a></li>
	<li><a href="log4j-jcl/index.html" title="Commons Logging Bridge"><span class="none"></span>Commons Logging Bridge</a></li>
	<li><a href="log4j-1.2-api/index.html" title="Log4j 1.2 API"><span class="none"></span>Log4j 1.2 API</a></li>
	<li><a href="log4j-slf4j-impl/index.html" title="SLF4J Binding"><span class="none"></span>SLF4J Binding</a></li>
	<li><a href="log4j-jul/index.html" title="JUL Adapter"><span class="none"></span>JUL Adapter</a></li>
	<li><a href="log4j-jpl/index.html" title="JDK Platform Logger"><span class="none"></span>JDK Platform Logger</a></li>
	<li><a href="log4j-to-slf4j/index.html" title="Log4j 2 to SLF4J Adapter"><span class="none"></span>Log4j 2 to SLF4J Adapter</a></li>
	<li><a href="log4j-flume-ng/index.html" title="Apache Flume Appender"><span class="none"></span>Apache Flume Appender</a></li>
	<li><a href="log4j-taglib/index.html" title="Log4j Tag Library"><span class="none"></span>Log4j Tag Library</a></li>
	<li><a href="log4j-jmx-gui/index.html" title="Log4j JMX GUI"><span class="none"></span>Log4j JMX GUI</a></li>
	<li><a href="log4j-web/index.html" title="Log4j Web Application Support"><span class="none"></span>Log4j Web Application Support</a></li>
	<li><a href="log4j-appserver/index.html" title="Log4j Application Server Integration"><span class="none"></span>Log4j Application Server Integration</a></li>
	<li><a href="log4j-couchdb/index.html" title="Log4j CouchDB appender"><span class="none"></span>Log4j CouchDB appender</a></li>
	<li><a href="log4j-mongodb2/index.html" title="Log4j MongoDB2 appender"><span class="none"></span>Log4j MongoDB2 appender</a></li>
	<li><a href="log4j-mongodb3/index.html" title="Log4j MongoDB3 appender"><span class="none"></span>Log4j MongoDB3 appender</a></li>
	<li><a href="log4j-cassandra/index.html" title="Log4j Cassandra appender"><span class="none"></span>Log4j Cassandra appender</a></li>
	<li><a href="log4j-iostreams/index.html" title="Log4j IO Streams"><span class="none"></span>Log4j IO Streams</a></li>
	<li><a href="log4j-liquibase/index.html" title="Log4j Liquibase Binding"><span class="none"></span>Log4j Liquibase Binding</a></li>
	<li><a href="log4j-docker/index.html" title="Log4j Docker Support"><span class="none"></span>Log4j Docker Support</a></li>
	<li><a href="log4j-spring-cloud-config/log4j-spring-cloud-config-client/index.html" title="Log4j Spring Cloud Config Client"><span class="none"></span>Log4j Spring Cloud Config Client</a></li>
	<li class="nav-header"><img class="imageLink" src="img/glyphicons/info.png" alt="Project Information" border="0"/> Project Information</li>
	<li><a href="dependency-convergence.html" title="Dependency Convergence"><span class="none"></span>Dependency Convergence</a></li>
	<li><a href="dependency-management.html" title="Dependency Management"><span class="none"></span>Dependency Management</a></li>
	<li><a href="team-list.html" title="Project Team"><span class="none"></span>Project Team</a></li>
	<li><a href="mail-lists.html" title="Mailing Lists"><span class="none"></span>Mailing Lists</a></li>
	<li><a href="issue-tracking.html" title="Issue Tracking"><span class="none"></span>Issue Tracking</a></li>
	<li><a href="license.html" title="Project License"><span class="none"></span>Project License</a></li>
	<li><a href="source-repository.html" title="Source Repository"><span class="none"></span>Source Repository</a></li>
	<li><a href="project-summary.html" title="Project Summary"><span class="none"></span>Project Summary</a></li>
	<li class="nav-header"><img class="imageLink" src="img/glyphicons/layers.png" alt="Project Reports" border="0"/> Project Reports</li>
	<li><a href="changes-report.html" title="Changes Report"><span class="none"></span>Changes Report</a></li>
	<li><a href="jira-report.html" title="JIRA Report"><span class="none"></span>JIRA Report</a></li>
	<li><a href="rat-report.html" title="RAT Report"><span class="none"></span>RAT Report</a></li>
	</ul>
	</nav>
	<div class="well sidebar-nav">
	<hr />
	<div id="poweredBy">
	<div class="clear"></div>
	<div class="clear"></div>
	<div class="clear"></div>
	<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" /></a>
	</div>
	</div>
	</header>
	<main id="bodyColumn" class="span10" >
	<!-- vim: set syn=markdown : -->
	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<h1>Apache Log4j Security Vulnerabilities</h1>
	<p>This page lists all the security vulnerabilities fixed in released versions of Apache Log4j 2. Each vulnerability is given a <a href="#Summary_of_security_impact_levels_for_Apache_Log4j">security impact rating</a> by the <a class="externalLink" href="mailto:private@logging.apache.org">Apache Logging security team</a>. please note that this rating may vary from platform to platform. We also list the versions of Apache Log4j the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.</p>
	<p>Note: Vulnerabilities that are not Log4j vulnerabilities but have either been incorrectly reported against Log4j or where Log4j provides a workaround are listed at the end of this page.</p>
	<p>Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.</p>
	<p>Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Apache Log4j version that you are using. For Log4j 2 this is BUILDING.md. This file can be found in the root subdirectory of a source distributive.</p>
	<p>If you need help on building or configuring Log4j or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Log4j Users mailing list</p>
	<p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the <a class="externalLink" href="mailto:private@logging.apache.org">Log4j Security Team</a>. Thank you.</p><section><section>
	<h3><a name="Fixed_in_Log4j_2.13.2"></a>Fixed in Log4j 2.13.2</h3>
	<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488">CVE-2020-9488</a>: Improper validation of certificate with host mismatch in Apache Log4j SMTP appender.</p>
	<p>Severity: Low</p>
	<p>CVSS Base Score: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</p>
	<p>Versions Affected: all versions from 2.0-alpha1 to 2.13.1</p>
	<p>Descripton: Improper validation of certificate with host mismatch in Log4j2 SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.</p>
	<p>The reported issue was caused by an error in SslConfiguration. Any element using SslConfiguration in the Log4j Configuration is also affected by this issue. This includes HttpAppender, SocketAppender, and SyslogAppender. Usages of SslConfiguration that are configured via system properties are not affected.</p>
	<p>Mitigation: Users should upgrade to Apache Log4j 2.13.2 which fixed this issue in LOG4J2-2819 by making SSL settings configurable for SMTPS mail sessions. As a workaround for previous releases, users can set the mail.smtp.ssl.checkserveridentity system property to true to enable SMTPS hostname verification for all SMTPS mail sessions.</p>
	<p>Credit: This issues was discovered by Peter Stöckli.</p>
	<p>References: <a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-2819">https://issues.apache.org/jira/browse/LOG4J2-2819</a></p></section><section>
	<h3><a name="Fixed_in_Log4j_2.8.2"></a>Fixed in Log4j 2.8.2</h3>
	<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645">CVE-2017-5645</a>: Apache Log4j socket receiver deserialization vulnerability.</p>
	<p>Severity: Moderate</p>
	<p>CVSS Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)</p>
	<p>Versions Affected: all versions from 2.0-alpha1 to 2.8.1</p>
	<p>Description: When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.</p>
	<p>Mitigation: Java 7+ users should migrate to version 2.8.2 or avoid using the socket server classes. Java 6 users should avoid using the TCP or UDP socket server classes, or they can manually backport the security fix from 2.8.2: <a class="externalLink" href="https://github.com/apache/logging-log4j2/commit/5dcc192">https://github.com/apache/logging-log4j2/commit/5dcc192</a></p>
	<p>Credit: This issue was discovered by Marcio Almeida de Macedo of Red Team at Telstra</p>
	<p>References: <a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-1863">https://issues.apache.org/jira/browse/LOG4J2-1863</a></p></section></section><section>
	<h2><a name="Summary_of_security_impact_levels_for_Apache_Log4j"></a>Summary of security impact levels for Apache Log4j</h2>
	<p>The Apache Log4j Security Team rates the impact of each security flaw that affects Log4j. We’ve chosen a rating scale quite similar to those used by other major vendors in order to be consistent. Basically the goal of the rating system is to answer the question “How worried should I be about this vulnerability?”.</p>
	<p>Note that the rating chosen for each flaw is the worst possible case across all architectures. To determine the exact impact of a particular vulnerability on your own systems you will still need to read the security advisories to find out more about the flaw.</p>
	<p>We use the following descriptions to decide on the impact rating to give each vulnerability:</p><section>
	<h3><a name="Critical"></a>Critical</h3>
	<p>A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root). These are the sorts of vulnerabilities that could be exploited automatically by worms.</p></section><section>
	<h3><a name="Important"></a>Important</h3>
	<p>A vulnerability rated as Important impact is one which could result in the compromise of data or availability of the server. For Log4j this includes issues that allow an easy remote denial of service (something that is out of proportion to the attack or with a lasting consequence), access to arbitrary files outside of the context root, or access to files that should be otherwise prevented by limits or authentication.</p></section><section>
	<h3><a name="Moderate"></a>Moderate</h3>
	<p>A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the issue less of an impact. This might be because the flaw does not affect likely configurations, or it is a configuration that isn’t widely used.</p></section><section>
	<h3><a name="Low"></a>Low</h3>
	<p>All other security flaws are classed as a Low impact. This rating is used for issues that are believed to be extremely hard to exploit, or where an exploit gives minimal consequences.</p></section></section>
	</main>
	</div>
	</div>
	<hr/>
	<footer>
	<div class="container-fluid">
	<div class="row-fluid">
	<p align="center">Copyright © 1999-2020 <a class="external" href="http://www.apache.org">The Apache Software Foundation</a>. All Rights Reserved.<br>
	Apache Logging, Apache Log4j, Log4j, Apache, the Apache feather logo, and the Apache Logging project logo are trademarks of The Apache Software Foundation.</p>
	</div>
	</div>
	</footer>
	</body>
	</html>