Google Git
Sign in
apache / logging-log4j-site / fc25fb68d445d6e47baece04a6b3e4db02e2c003 / . / log4j-2.20.0 / security.html
blob: e5d6df2feeb6faa7d239d1c5a124a0f420e39b2b [file] [log] [blame]
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.11.1 from target/generated-sources/site/markdown/security.md at 2023-05-02
| Rendered using Apache Maven Fluido Skin 1.11.2
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="generator" content="Apache Maven Doxia Site Renderer 1.11.1" />
<title>Log4j &#x2013; Apache Log4j Security Vulnerabilities</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.11.2.min.css" />
<link rel="stylesheet" href="./css/site.css" />
<link rel="stylesheet" href="./css/print.css" media="print" />
<script src="./js/apache-maven-fluido-1.11.2.min.js"></script>
</head>
<body class="topBarDisabled">
<div class="container-fluid">
<header>
<div id="banner">
<div class="pull-left"><a href="../.." id="bannerLeft"><img src="images/ls-logo.jpg" alt="" style="" /></a></div>
<div class="pull-right"><a href="./" id="bannerRight"><img src="images/logo.png" alt="" style="" /></a></div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li id="publishDate">Last Published: 2023-05-02<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 2.20.0</li>
<li class="pull-right"><span class="divider">|</span>
<a href="https://github.com/apache/logging-log4j2" class="externalLink" title="GitHub">GitHub</a></li>
<li class="pull-right"><span class="divider">|</span>
<a href="../../" title="Logging Services">Logging Services</a></li>
<li class="pull-right"><span class="divider">|</span>
<a href="https://www.apache.org/" class="externalLink" title="Apache">Apache</a></li>
<li class="pull-right"><a href="https://cwiki.apache.org/confluence/display/LOGGING/Log4j" class="externalLink" title="Logging Wiki">Logging Wiki</a></li>
</ul>
</div>
</header>
<div class="row-fluid">
<header id="leftColumn" class="span2">
<nav class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header"><img class="imageLink" src="img/glyphicons/home.png" alt="Apache Log4j™ 2" style="border: 0;" /> Apache Log4j™ 2</li>
<li><a href="index.html" title="About"><span class="none"></span>About</a></li>
<li><a href="download.html" title="Download"><span class="none"></span>Download</a></li>
<li><a href="javadoc.html" title="Javadoc"><span class="none"></span>Javadoc</a></li>
<li><a href="maven-artifacts.html" title="Maven, Ivy, Gradle Artifacts"><span class="icon-chevron-right"></span>Maven, Ivy, Gradle Artifacts</a></li>
<li><a href="runtime-dependencies.html" title="Runtime Dependencies"><span class="none"></span>Runtime Dependencies</a></li>
<li><a href="release-notes/index.html" title="Release Notes"><span class="none"></span>Release Notes</a></li>
<li><a href="faq.html" title="FAQ"><span class="none"></span>FAQ</a></li>
<li><a href="performance.html" title="Performance"><span class="icon-chevron-right"></span>Performance</a></li>
<li><a href="articles.html" title="Articles and Tutorials"><span class="none"></span>Articles and Tutorials</a></li>
<li class="active"><a><span class="none"></span>Security</a></li>
<li><a href="support.html" title="Support"><span class="none"></span>Support</a></li>
<li><a href="thanks.html" title="Thanks"><span class="none"></span>Thanks</a></li>
<li class="nav-header"><img class="imageLink" src="img/glyphicons/pencil.png" alt="For Contributors" style="border: 0;" /> For Contributors</li>
<li><a href="guidelines.html" title="Guidelines"><span class="none"></span>Guidelines</a></li>
<li><a href="javastyle.html" title="Style Guide"><span class="none"></span>Style Guide</a></li>
<li class="nav-header"><img class="imageLink" src="img/glyphicons/book.png" alt="Manual" style="border: 0;" /> Manual</li>
<li><a href="manual/index.html" title="Introduction"><span class="none"></span>Introduction</a></li>
<li><a href="manual/architecture.html" title="Architecture"><span class="none"></span>Architecture</a></li>
<li><a href="manual/api-separation.html" title="API Separation"><span class="none"></span>API Separation</a></li>
<li><a href="manual/migration.html" title="Log4j 1.x Migration"><span class="icon-chevron-right"></span>Log4j 1.x Migration</a></li>
<li><a href="manual/api.html" title="Java API"><span class="icon-chevron-right"></span>Java API</a></li>
<li><a href="manual/scala-api.html" title="Scala API"><span class="none"></span>Scala API</a></li>
<li><a href="manual/configuration.html" title="Configuration"><span class="icon-chevron-right"></span>Configuration</a></li>
<li><a href="manual/usage.html" title="Usage"><span class="icon-chevron-right"></span>Usage</a></li>
<li><a href="manual/webapp.html" title="Web Applications and JSPs"><span class="icon-chevron-right"></span>Web Applications and JSPs</a></li>
<li><a href="manual/lookups.html" title="Lookups"><span class="icon-chevron-right"></span>Lookups</a></li>
<li><a href="manual/appenders.html" title="Appenders"><span class="icon-chevron-right"></span>Appenders</a></li>
<li><a href="manual/layouts.html" title="Layouts"><span class="icon-chevron-right"></span>Layouts</a></li>
<li><a href="manual/filters.html" title="Filters"><span class="icon-chevron-right"></span>Filters</a></li>
<li><a href="manual/async.html" title="Async Loggers"><span class="icon-chevron-right"></span>Async Loggers</a></li>
<li><a href="manual/garbagefree.html" title="Garbage-free Logging"><span class="icon-chevron-right"></span>Garbage-free Logging</a></li>
<li><a href="manual/jmx.html" title="JMX"><span class="none"></span>JMX</a></li>
<li><a href="manual/logsep.html" title="Logging Separation"><span class="none"></span>Logging Separation</a></li>
<li><a href="manual/extending.html" title="Extending Log4j"><span class="icon-chevron-right"></span>Extending Log4j</a></li>
<li><a href="manual/plugins.html" title="Plugins"><span class="icon-chevron-right"></span>Plugins</a></li>
<li><a href="manual/customconfig.html" title="Programmatic Log4j Configuration"><span class="icon-chevron-right"></span>Programmatic Log4j Configuration</a></li>
<li><a href="manual/customloglevels.html" title="Custom Log Levels"><span class="icon-chevron-right"></span>Custom Log Levels</a></li>
<li class="nav-header"><img class="imageLink" src="img/glyphicons/tag.png" alt="Related Projects" style="border: 0;" /> Related Projects</li>
<li><a href="../../chainsaw/2.x/index.html" title="Chainsaw"><span class="none"></span>Chainsaw</a></li>
<li><a href="../../log4cxx/latest_stable/index.html" title="Log4Cxx"><span class="none"></span>Log4Cxx</a></li>
<li><a href="../../log4j-audit/latest/index.html" title="Log4j Audit"><span class="none"></span>Log4j Audit</a></li>
<li><a href="../kotlin/index.html" title="Log4j Kotlin"><span class="none"></span>Log4j Kotlin</a></li>
<li><a href="../scala/index.html" title="Log4j Scala"><span class="none"></span>Log4j Scala</a></li>
<li><a href="log4j-transform" title="Log4j Transformation Tools"><span class="none"></span>Log4j Transformation Tools</a></li>
<li><a href="../../log4net/index.html" title="Log4Net"><span class="none"></span>Log4Net</a></li>
<li class="nav-header"><img class="imageLink" src="img/glyphicons/link.png" alt="Legacy Sites" style="border: 0;" /> Legacy Sites</li>
<li><a href="../1.2/" title="Log4j 1.2 - End of Life"><span class="none"></span>Log4j 1.2 - End of Life</a></li>
<li><a href="../log4j-2.3.2/" title="Log4j 2.3.2 - Java 6"><span class="none"></span>Log4j 2.3.2 - Java 6</a></li>
<li><a href="../log4j-2.12.4/" title="Log4j 2.12.4 - Java 7"><span class="none"></span>Log4j 2.12.4 - Java 7</a></li>
<li class="nav-header"><img class="imageLink" src="img/glyphicons/cog.png" alt="Components" style="border: 0;" /> Components</li>
<li><a href="log4j-api.html" title="API"><span class="none"></span>API</a></li>
<li><a href="log4j-jcl.html" title="Commons Logging Bridge"><span class="none"></span>Commons Logging Bridge</a></li>
<li><a href="log4j-1.2-api.html" title="Log4j 1.2 API"><span class="none"></span>Log4j 1.2 API</a></li>
<li><a href="log4j-slf4j-impl.html" title="SLF4J Binding"><span class="none"></span>SLF4J Binding</a></li>
<li><a href="log4j-jul.html" title="JUL Adapter"><span class="none"></span>JUL Adapter</a></li>
<li><a href="log4j-jpl.html" title="JDK Platform Logger"><span class="none"></span>JDK Platform Logger</a></li>
<li><a href="log4j-to-slf4j.html" title="Log4j 2 to SLF4J Adapter"><span class="none"></span>Log4j 2 to SLF4J Adapter</a></li>
<li><a href="log4j-flume-ng.html" title="Apache Flume Appender"><span class="none"></span>Apache Flume Appender</a></li>
<li><a href="log4j-taglib.html" title="Log4j Tag Library"><span class="none"></span>Log4j Tag Library</a></li>
<li><a href="log4j-jmx-gui.html" title="Log4j JMX GUI"><span class="none"></span>Log4j JMX GUI</a></li>
<li><a href="log4j-web.html" title="Log4j Web Application Support"><span class="none"></span>Log4j Web Application Support</a></li>
<li><a href="log4j-jakarta-web.html" title="Log4j Jakarta Web Application Support"><span class="none"></span>Log4j Jakarta Web Application Support</a></li>
<li><a href="log4j-appserver.html" title="Log4j Application Server Integration"><span class="none"></span>Log4j Application Server Integration</a></li>
<li><a href="log4j-couchdb.html" title="Log4j CouchDB appender"><span class="none"></span>Log4j CouchDB appender</a></li>
<li><a href="log4j-mongodb3.html" title="Log4j MongoDB3 appender"><span class="none"></span>Log4j MongoDB3 appender</a></li>
<li><a href="log4j-mongodb4.html" title="Log4j MongoDB4 appender"><span class="none"></span>Log4j MongoDB4 appender</a></li>
<li><a href="log4j-cassandra.html" title="Log4j Cassandra appender"><span class="none"></span>Log4j Cassandra appender</a></li>
<li><a href="log4j-iostreams.html" title="Log4j IO Streams"><span class="none"></span>Log4j IO Streams</a></li>
<li><a href="log4j-docker.html" title="Log4j Docker Support"><span class="none"></span>Log4j Docker Support</a></li>
<li><a href="log4j-kubernetes.html" title="Log4j Kubernetes Support"><span class="none"></span>Log4j Kubernetes Support</a></li>
<li><a href="log4j-spring-boot.html" title="Log4j Spring Boot"><span class="none"></span>Log4j Spring Boot</a></li>
<li><a href="log4j-spring-cloud-config-client.html" title="Log4j Spring Cloud Config Client"><span class="none"></span>Log4j Spring Cloud Config Client</a></li>
<li class="nav-header"><img class="imageLink" src="img/glyphicons/info.png" alt="Project Information" style="border: 0;" /> Project Information</li>
<li><a href="team.html" title="Project Team"><span class="none"></span>Project Team</a></li>
<li><a href="https://www.apache.org/licenses/LICENSE-2.0" class="externalLink" title="Project License"><span class="none"></span>Project License</a></li>
<li><a href="https://github.com/apache/logging-log4j2" class="externalLink" title="Source Repository"><span class="none"></span>Source Repository</a></li>
</ul>
</nav>
<div class="well sidebar-nav">
<div id="poweredBy">
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" /></a>
</div>
</div>
</header>
<main id="bodyColumn" class="span10" >
<!-- vim: set syn=markdown : -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<h1>Apache Log4j Security Vulnerabilities</h1>
<p>This page lists all the security vulnerabilities fixed in released versions of Apache Log4j 2.
Each vulnerability is given a <a href="#Security_Impact_Levels">security impact rating</a>
by the <a class="externalLink" href="mailto:security@logging.apache.org">Apache Logging security team</a>.
Note that this rating may vary from platform to platform. We also list the versions
of Apache Log4j the flaw is known to affect, and where a flaw has not been verified list
the version with a question mark.</p>
<p><a class="externalLink" href="http://logging.apache.org/log4j/1.2/">Log4j 1.x</a> has
<a class="externalLink" href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">reached End of Life</a>
in 2015 and is no longer supported.
Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed.
Users should <a href="manual/migration.html">upgrade to Log4j 2</a> to obtain security fixes.</p>
<p>Binary patches are never provided. If you need to apply a source code patch,
use the building instructions for the Apache Log4j version that you are using.
For Log4j 2 these can be found in <code>BUILDING.md</code> located in the root subdirectory of the source distribution.</p>
<p>If you need help on building or configuring Log4j or other help on following the instructions
to mitigate the known vulnerabilities listed here, please
<a class="externalLink" href="mailto:log4j-user-subscribe@logging.apache.org">subscribe to</a>, and send your questions to the public
Log4j <a href="mail-lists.html">Users mailing list</a>.</p>
<p>If you have encountered an unlisted security vulnerability or other unexpected behaviour
that has security impact, or if the descriptions here are incomplete, please report them
privately to <a class="externalLink" href="mailto:security@logging.apache.org">the Log4j Security Team</a>.
Note that reports assuming attacker's access to the Log4j configuration will not qualify as a vulnerability.
Thank you for your understanding and help!</p>
<p><a name="CVE-2021-44832"></a><a name="cve-2021-44832"></a></p><section>
<h2><a name="Fixed_in_Log4j_2.17.1_.28Java_8.29.2C_2.12.4_.28Java_7.29_and_2.3.2_.28Java_6.29"></a><a name="log4j-2.17.1"></a> Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)</h2>
<p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832">CVE-2021-44832</a>:
Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.</p>
<table border="0" class="table table-striped">
<thead>
<tr class="a">
<th><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832">CVE-2021-44832</a></th>
<th>Remote Code Execution</th></tr>
</thead><tbody>
<tr class="b">
<td align="left">Severity</td>
<td>Moderate</td></tr>
<tr class="a">
<td align="left">Base CVSS Score</td>
<td>6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</td></tr>
<tr class="b">
<td align="left">Versions Affected</td>
<td>All versions from 2.0-beta7 to 2.17.0, excluding 2.3.2 and 2.12.4</td></tr>
</tbody>
</table><section>
<h3><a name="Description"></a>Description</h3>
<p>Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to
a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can
construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute
remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1,
2.12.4, and 2.3.2.</p></section><section>
<h3><a name="Mitigation"></a>Mitigation</h3><section>
<h4><a name="Log4j_1.x_mitigation"></a>Log4j 1.x mitigation</h4>
<p>Log4j 1.x is not impacted by this vulnerability.</p></section><section>
<h4><a name="Log4j_2.x_mitigation"></a>Log4j 2.x mitigation</h4>
<p>Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).</p>
<p>In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol
other than Java.</p>
<p>Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.</p>
<p>Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability.
Other projects like Log4net and Log4cxx are not impacted by this.</p></section></section><section>
<h3><a name="Release_Details"></a>Release Details</h3>
<p>From version 2.17.1, (and 2.12.4 and 2.3.2 for Java 7 and Java 6),
the JDBC Appender will use JndiManager and will require the <code>log4j2.enableJndiJdbc</code> system property to contain
a value of true for JNDI to be enabled.</p>
<p>The property to enable JNDI has been renamed from &#x2018;log4j2.enableJndi&#x2019;
to three separate properties: <code>log4j2.enableJndiLookup</code>, <code>log4j2.enableJndiJms</code>, and <code>log4j2.enableJndiContextSelector</code>.</p>
<p>JNDI functionality has been hardened in these versions: 2.3.1, 2.12.2, 2.12.3 or 2.17.0:
from these versions onwards, support for the LDAP protocol has been removed and only the JAVA protocol is supported in JNDI connections.</p></section><section>
<h3><a name="Work_in_progress"></a>Work in progress</h3>
<p>The Log4j team will continue to actively update this page as more information becomes known.</p></section><section>
<h3><a name="Credit"></a>Credit</h3>
<p>No credit is being awarded for this issue.</p></section><section>
<h3><a name="References"></a>References</h3>
<ul>
<li><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832">CVE-2021-44832</a></li>
</ul>
<p><a name="CVE-2021-45105"></a><a name="cve-2021-45046"></a></p></section></section><section>
<h2><a name="Fixed_in_Log4j_2.17.0_.28Java_8.29.2C_2.12.3_.28Java_7.29_and_2.3.1_.28Java_6.29"></a><a name="log4j-2.17.0"></a> Fixed in Log4j 2.17.0 (Java 8), 2.12.3 (Java 7) and 2.3.1 (Java 6)</h2>
<p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105">CVE-2021-45105</a>:
Apache Log4j2 does not always protect from infinite recursion in lookup evaluation</p>
<table border="0" class="table table-striped">
<thead>
<tr class="a">
<th><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105">CVE-2021-45105</a></th>
<th>Denial of Service</th></tr>
</thead><tbody>
<tr class="b">
<td align="left">Severity</td>
<td>Moderate</td></tr>
<tr class="a">
<td align="left">Base CVSS Score</td>
<td>5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)</td></tr>
<tr class="b">
<td align="left">Versions Affected</td>
<td>All versions from 2.0-alpha1 to 2.16.0, excluding 2.12.3</td></tr>
</tbody>
</table><section>
<h3><a name="Description"></a>Description</h3>
<p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from uncontrolled recursion from self-referential lookups.
When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>),
attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup,
resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.</p></section><section>
<h3><a name="Mitigation"></a>Mitigation</h3><section>
<h4><a name="Log4j_1.x_mitigation"></a>Log4j 1.x mitigation</h4>
<p>Log4j 1.x is not impacted by this vulnerability.</p></section><section>
<h4><a name="Log4j_2.x_mitigation"></a>Log4j 2.x mitigation</h4>
<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).</p>
<p>Alternatively, this infinite recursion issue can be mitigated in configuration:</p>
<ul>
<li>In PatternLayout in the logging configuration, replace Context Lookups like <code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> with Thread Context Map patterns (%X, %mdc, or %MDC).</li>
<li>Otherwise, in the configuration, remove references to Context Lookups like <code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> where they originate
from sources external to the application such as HTTP headers or user input. Note that this mitigation is insufficient in
releases older than 2.12.2 (Java 7), and 2.16.0 (Java 8 and later) as the issues fixed in those releases will
still be present.</li>
</ul>
<p>Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.</p>
<p>Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability.
Other projects like Log4net and Log4cxx are not impacted by this.</p></section></section><section>
<h3><a name="Release_Details"></a>Release Details</h3>
<p>From version 2.17.0, (and 2.12.3 and 2.3.1 for Java 7 and Java 6),
only lookup strings in configuration are expanded recursively;
in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved.</p>
<p>The property to enable JNDI has been renamed from &#x2018;log4j2.enableJndi&#x2019;
to three separate properties: &#x2018;log4j2.enableJndiLookup&#x2019;, &#x2018;log4j2.enableJndiJms&#x2019;, and &#x2018;log4j2.enableJndiContextSelector&#x2019;.</p>
<p>JNDI functionality has been hardened in these versions: 2.3.1, 2.12.2, 2.12.3 or 2.17.0:
from these versions onwards, support for the LDAP protocol has been removed and only the JAVA protocol is supported in JNDI connections.</p></section><section>
<h3><a name="Work_in_progress"></a>Work in progress</h3>
<p>The Log4j team will continue to actively update this page as more information becomes known.</p></section><section>
<h3><a name="Credit"></a>Credit</h3>
<p>Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro&#x2019;s Zero Day Initiative, and another anonymous vulnerability researcher.</p></section><section>
<h3><a name="References"></a>References</h3>
<ul>
<li><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105">CVE-2021-45105</a></li>
<li><a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3230">LOG4J2-3230</a></li>
</ul>
<p><a name="CVE-2021-45046"></a><a name="cve-2021-45046"></a></p></section></section><section>
<h2><a name="Fixed_in_Log4j_2.16.0_.28Java_8.29_and_Log4j_2.12.2_.28Java_7.29"></a><a name="log4j-2.16.0"></a> Fixed in Log4j 2.16.0 (Java 8) and Log4j 2.12.2 (Java 7)</h2>
<p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046">CVE-2021-45046</a>:
Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations</p>
<table border="0" class="table table-striped">
<thead>
<tr class="a">
<th><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046">CVE-2021-45046</a></th>
<th>Remote Code Execution</th></tr>
</thead><tbody>
<tr class="b">
<td align="left">Severity</td>
<td>Critical</td></tr>
<tr class="a">
<td align="left">Base CVSS Score</td>
<td>9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)</td></tr>
<tr class="b">
<td align="left">Versions Affected</td>
<td>All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2</td></tr>
</tbody>
</table><section>
<h3><a name="Description"></a>Description</h3>
<p>It was found that the fix to address <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a> in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}),
attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern,
resulting in an information leak and remote code execution in some environments and local code execution in all environments;
remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and Alpine Linux.</p>
<p>Note that this vulnerability is not limited to just the JDNI lookup. Any other Lookup could also be included in a
Thread Context Map variable and possibly have private details exposed to anyone with access to the logs.</p></section><section>
<h3><a name="Mitigation"></a>Mitigation</h3><section>
<h4><a name="Log4j_1.x_mitigation"></a>Log4j 1.x mitigation</h4>
<p>Log4j 1.x is not impacted by this vulnerability.</p></section><section>
<h4><a name="Log4j_2.x_mitigation"></a>Log4j 2.x mitigation</h4>
<p>Implement one of the following mitigation techniques:</p>
<ul>
<li>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).</li>
<li>Otherwise, in any release other than 2.16.0, you may remove the <code>JndiLookup</code> class from the classpath: <code>zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class</code></li>
</ul>
<p>Users are advised that while removing the JndiLookup class prevents a potential RCE from occuring, it still leaves
the application vulnerable to other misuse of Lookups in Thread Context Map data. While the mitigations listed below in
the history section help in some situations, the only real solution is to upgarde to one of the releases listed in the
first bullet above (or a newer release).</p>
<p>Users are advised not to enable JNDI in Log4j 2.16.0, since it still allows LDAP connections.
If the JMS Appender is required, use one of these versions: 2.3.1, 2.12.2, 2.12.3 or 2.17.0:
from these versions onwards, only the JAVA protocol is supported in JNDI connections.</p>
<p>Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.</p>
<p>Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability.
Other projects like Log4net and Log4cxx are not impacted by this.</p></section></section><section>
<h3><a name="History"></a>History</h3>
<p><b>Severity is now Critical</b></p>
<p>The original severity of this CVE was rated as Moderate; since this CVE was published security experts found additional
exploits against the Log4j 2.15.0 release, that could lead to information leaks, RCE (remote code execution) and LCE (local code execution) attacks.</p>
<p>Base CVSS Score changed from 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) to 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).</p>
<p>The title of this CVE was changed from mentioning Denial of Service attacks to mentioning Remote Code Execution attacks.</p>
<p>Only Pattern Layouts with a Context Lookup (for example, <code>$${ctx:loginId}</code>) are vulnerable to this.
This page previously incorrectly mentioned that Thread Context Map pattern (<code>%X</code>, <code>%mdc</code>, or <code>%MDC</code>) in the layout would also allow this vulnerability.</p>
<p>While Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default,
there are ways to bypass this and users should not rely on this.</p>
<p><b>Older (discredited) mitigation measures</b></p>
<p>This page previously mentioned other mitigation measures, but we discovered that these measures only limit exposure while leaving some attack vectors open.</p>
<p>Other insufficient mitigation measures are: setting system property <code>log4j2.formatMsgNoLookups</code> or environment variable <code>LOG4J_FORMAT_MSG_NO_LOOKUPS</code> to <code>true</code> for releases &gt;= 2.10, or modifying the logging configuration to disable message lookups with <code>%m{nolookups}</code>, <code>%msg{nolookups}</code> or <code>%message{nolookups}</code> for releases &gt;= 2.7 and &lt;= 2.14.1.</p>
<p>The reason these measures are insufficient is that, in addition to the Thread Context
attack vector mentioned above, there are still code paths in Log4j where message lookups could occur:
known examples are applications that use <code>Logger.printf(&quot;%s&quot;, userInput)</code>, or applications that use a custom message factory,
where the resulting messages do not implement <code>StringBuilderFormattable</code>. There may be other attack vectors.</p>
<p>The safest thing to do is to upgrade Log4j to a safe version, or remove the <code>JndiLookup</code> class from the log4j-core jar.</p></section><section>
<h3><a name="Release_Details"></a>Release Details</h3>
<p>From version 2.16.0 (for Java 8), the message lookups feature has been completely removed. Lookups in configuration still work.
Furthermore, Log4j now disables access to JNDI by default.
JNDI lookups in configuration now need to be enabled explicitly.
Users are advised not to enable JNDI in Log4j 2.16.0, since it still allows LDAP connections.
If the JMS Appender is required, use one of these versions: 2.3.1, 2.12.2, 2.12.3 or 2.17.0:
from these versions onwards, only the JAVA protocol is supported in JNDI connections.</p>
<p>From version 2.12.2 (for Java 7) and 2.3.1 (for Java 6), the message lookups feature has been completely removed. Lookups in configuration still work.
Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly.
When enabled, JNDI will only support the JAVA protocol, support for the LDAP protocol has been removed.</p>
<p>From version 2.17.0 (for Java 8), support for the LDAP protocol has been removed and only the JAVA protocol is supported in JNDI connections.</p>
<p>From version 2.17.0 (for Java 8), 2.12.3 (for Java 7) and 2.3.1 (for Java 6),
the property to enable JNDI has been renamed from &#x2018;log4j2.enableJndi&#x2019;
to three separate properties: &#x2018;log4j2.enableJndiLookup&#x2019;, &#x2018;log4j2.enableJndiJms&#x2019;, and &#x2018;log4j2.enableJndiContextSelector&#x2019;.</p></section><section>
<h3><a name="Work_in_progress"></a>Work in progress</h3>
<p>The Log4j team will continue to actively update this page as more information becomes known.</p></section><section>
<h3><a name="Credit"></a>Credit</h3>
<p>This issue was discovered by Kai Mindermann of iC Consult and separately by 4ra1n.</p>
<p>Additional vulnerability details discovered independently by Ash Fox of Google, Alvaro Mu&#xf1;oz and Tony Torralba from GitHub, Anthony Weems of Praetorian, and RyotaK (@ryotkak).</p></section><section>
<h3><a name="References"></a>References</h3>
<ul>
<li><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046">CVE-2021-45046</a></li>
<li><a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3221">LOG4J2-3221</a></li>
</ul>
<p><a name="CVE-2021-44228"></a><a name="cve-2021-44228"></a></p></section></section><section>
<h2><a name="Fixed_in_Log4j_2.15.0_.28Java_8.29"></a><a name="log4j-2.15.0"></a> Fixed in Log4j 2.15.0 (Java 8)</h2>
<p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a>: Apache Log4j2 JNDI
features do not protect against attacker controlled LDAP and other JNDI related endpoints. Log4j2 allows
Lookup expressions in the data being logged exposing the JNDI vulnerability, as well as other problems,
to be exploited by end users whose input is being logged.</p>
<table border="0" class="table table-striped">
<thead>
<tr class="a">
<th><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a></th>
<th>Remote Code Execution</th></tr>
</thead><tbody>
<tr class="b">
<td align="left">Severity</td>
<td>Critical</td></tr>
<tr class="a">
<td align="left">Base CVSS Score</td>
<td>10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</td></tr>
<tr class="b">
<td align="left">Versions Affected</td>
<td>All versions from 2.0-beta9 to 2.14.1</td></tr>
</tbody>
</table><section>
<h3><a name="Description"></a>Description</h3>
<p>In Apache Log4j2 versions up to and including 2.14.1 (excluding security releases 2.3.1, 2.12.2 and 2.12.3),
the JNDI features used in configurations, log messages, and parameters do not
protect against attacker-controlled LDAP and other JNDI related endpoints.
An attacker who can control log messages or log message parameters can execute
arbitrary code loaded from LDAP servers when message lookup substitution is enabled.</p></section><section>
<h3><a name="Mitigation"></a>Mitigation</h3><section>
<h4><a name="Log4j_1.x_mitigation"></a>Log4j 1.x mitigation</h4>
<p>Log4j 1.x does not have Lookups so the risk is lower.
Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration.
A separate CVE (CVE-2021-4104) has been filed for this vulnerability.
To mitigate: Audit your logging configuration to ensure it has no JMSAppender configured.
Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.</p></section><section>
<h4><a name="Log4j_2.x_mitigation"></a>Log4j 2.x mitigation</h4>
<p>Implement one of the following mitigation techniques:</p>
<ul>
<li>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).</li>
<li>Otherwise, in any release other than 2.16.0, you may remove the <code>JndiLookup</code> class from the classpath: <code>zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class</code></li>
</ul>
<p>Note that simply removing the JndiLookup only resolves one of the two bugs exposed in CVE-2021-44228. This still
allows users to enter lookup strings into input fields and cause them to be evaluated, which can cause StackOverflowExceptions
or potentially expose private data to anyone provided access to the logs. While the mitigations listed below in the
history section help in some situations, the only real solution is to upgarde to one of the releases listed in the
first bullet above (or a newer release).</p>
<p>Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.</p>
<p>Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability.
Other projects like Log4net and Log4cxx are not impacted by this.</p></section></section><section>
<h3><a name="History"></a>History</h3><section>
<h4><a name="Older_.28discredited.29_mitigation_measures"></a>Older (discredited) mitigation measures</h4>
<p>This page previously mentioned other mitigation measures, but we discovered that these measures only limit exposure while leaving some attack vectors open.</p>
<p>The 2.15.0 release was found to still be vulnerable when the configuration has a Pattern
Layout containing a Context Lookup (for example, <code>$${ctx:loginId}</code>).
When an attacker can control Thread Context values, they may inject a JNDI Lookup pattern, which will be evaluated and result in a JNDI connection.
While Log4j 2.15.0 makes a best-effort attempt to restrict JNDI connections to localhost by default,
there are ways to bypass this and users should not rely on this.</p>
<p>A new CVE (CVE-2021-45046, see above) was raised for this.</p>
<p>Other insufficient mitigation measures are: setting system property <code>log4j2.formatMsgNoLookups</code> or environment variable <code>LOG4J_FORMAT_MSG_NO_LOOKUPS</code> to <code>true</code> for releases &gt;= 2.10, or modifying the logging configuration to disable message lookups with <code>%m{nolookups}</code>, <code>%msg{nolookups}</code> or <code>%message{nolookups}</code> for releases &gt;= 2.7 and &lt;= 2.14.1.</p>
<p>The reason these measures are insufficient is that, in addition to the Thread Context
attack vector mentioned above, there are still code paths in Log4j where message lookups could occur:
known examples are applications that use <code>Logger.printf(&quot;%s&quot;, userInput)</code>, or applications that use a custom message factory,
where the resulting messages do not implement <code>StringBuilderFormattable</code>. There may be other attack vectors.</p>
<p>The safest thing to do is to upgrade Log4j to a safe version, or remove the <code>JndiLookup</code> class from the log4j-core jar.</p></section><section>
<h4><a name="Release_Details"></a>Release Details</h4>
<p>As of Log4j 2.15.0 the message lookups feature was disabled by default. Lookups in configuration still work.
While Log4j 2.15.0 has an option to enable Lookups in this fashion, users are strongly discouraged from enabling it.
A whitelisting mechanism was introduced for JNDI connections, allowing only localhost by default.
The 2.15.0 release was found to have additional vulnerabilities and is not recommended.</p>
<p>From version 2.16.0 (for Java 8), the message lookups feature has been completely removed. Lookups in configuration still work.
Furthermore, Log4j now disables access to JNDI by default.
JNDI lookups in configuration now need to be enabled explicitly.
Users are advised not to enable JNDI in Log4j 2.16.0, since it still allows LDAP connections.
If the JMS Appender is required, use one of these versions: 2.3.1, 2.12.2, 2.12.3 or 2.17.0:
from these versions onwards, only the JAVA protocol is supported in JNDI connections.</p>
<p>From version 2.12.2 (for Java 7) and 2.3.1 (for Java 6), the message lookups feature has been completely removed. Lookups in configuration still work.
Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly.
When enabled, JNDI will only support the JAVA protocol, support for the LDAP protocol has been removed.</p>
<p>From version 2.17.0 (for Java 8), support for the LDAP protocol has been removed and only the JAVA protocol is supported in JNDI connections.</p>
<p>From version 2.17.0 (for Java 8), 2.12.3 (for Java 7) and 2.3.1 (for Java 6),
the property to enable JNDI has been renamed from &#x2018;log4j2.enableJndi&#x2019;
to three separate properties: &#x2018;log4j2.enableJndiLookup&#x2019;, &#x2018;log4j2.enableJndiJms&#x2019;, and &#x2018;log4j2.enableJndiContextSelector&#x2019;.</p></section></section><section>
<h3><a name="Work_in_progress"></a>Work in progress</h3>
<p>The Log4j team will continue to actively update this page as more information becomes known.</p></section><section>
<h3><a name="Credit"></a>Credit</h3>
<p>This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.</p></section><section>
<h3><a name="References"></a>References</h3>
<ul>
<li><a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3201">https://issues.apache.org/jira/browse/LOG4J2-3201</a></li>
<li><a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-3198">https://issues.apache.org/jira/browse/LOG4J2-3198</a>.</li>
</ul></section></section><section>
<h2><a name="Fixed_in_Log4j_2.13.2_.28Java_8.29_and_2.12.3_.28Java_7.29"></a><a name="log4j-2.13.2"></a> Fixed in Log4j 2.13.2 (Java 8) and 2.12.3 (Java 7)</h2>
<p><a name="CVE-2020-9488"></a><a name="cve-2020-9488"></a>
<a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488">CVE-2020-9488</a>: Improper validation of certificate with host mismatch in Apache Log4j SMTP appender.</p>
<table border="0" class="table table-striped">
<thead>
<tr class="a">
<th><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488">CVE-2020-9488</a></th>
<th> </th></tr>
</thead><tbody>
<tr class="b">
<td align="left">Severity</td>
<td>Low</td></tr>
<tr class="a">
<td align="left">CVSS Base Score</td>
<td>3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</td></tr>
<tr class="b">
<td align="left">Versions Affected</td>
<td>All versions from 2.0-alpha1 to 2.13.1</td></tr>
</tbody>
</table><section>
<h3><a name="Description"></a>Description</h3>
<p>Improper validation of certificate with host mismatch in
Log4j2 SMTP appender. This could allow an SMTPS connection to be
intercepted by a man-in-the-middle attack which could leak any log
messages sent through that appender.</p>
<p>The reported issue was caused by an error in <code>SslConfiguration</code>. Any element using <code>SslConfiguration</code>
in the Log4j <code>Configuration</code> is also affected by this issue. This includes <code>HttpAppender</code>,
<code>SocketAppender</code>, and <code>SyslogAppender</code>. Usages of <code>SslConfiguration</code> that are configured via system
properties are not affected.</p></section><section>
<h3><a name="Mitigation"></a>Mitigation</h3>
<p>Users should upgrade to Apache Log4j 2.13.2 which fixed this issue in
<a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-2819">https://issues.apache.org/jira/browse/LOG4J2-2819</a>
by making SSL settings configurable for SMTPS mail sessions. As a workaround for previous releases, users can
set the <code>mail.smtp.ssl.checkserveridentity</code> system property to <code>true</code>
to enable SMTPS hostname verification for all SMTPS mail sessions.</p></section><section>
<h3><a name="Credit"></a>Credit</h3>
<p>This issue was discovered by Peter St&#xf6;ckli.</p></section><section>
<h3><a name="References"></a>References</h3>
<ul>
<li><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488">CVE-2020-9488</a></li>
<li><a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-2819">LOG4J2-2819</a></li>
</ul></section></section><section>
<h2><a name="Fixed_in_Log4j_2.8.2_.28Java_7.29"></a><a name="log4j-2.8.2"></a> Fixed in Log4j 2.8.2 (Java 7)</h2>
<p><a name="CVE-2017-5645"></a><a name="cve-2017-5645"></a>
<a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645">CVE-2017-5645</a>: Apache Log4j socket receiver deserialization vulnerability.</p>
<table border="0" class="table table-striped">
<thead>
<tr class="a">
<th><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645">CVE-2017-5645</a></th>
<th> </th></tr>
</thead><tbody>
<tr class="b">
<td align="left">Severity</td>
<td>Moderate</td></tr>
<tr class="a">
<td align="left">CVSS Base Score</td>
<td>7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)</td></tr>
<tr class="b">
<td align="left">Versions Affected</td>
<td>All versions from 2.0-alpha1 to 2.8.1</td></tr>
</tbody>
</table><section>
<h3><a name="Description"></a>Description</h3>
<p>When using the TCP socket server or UDP socket server to
receive serialized log events from another application, a specially crafted
binary payload can be sent that, when deserialized, can execute arbitrary
code.</p></section><section>
<h3><a name="Mitigation"></a>Mitigation</h3>
<p>Java 7 and above users should migrate to version 2.8.2 or avoid using
the socket server classes. Java 6 users should avoid using the TCP or UDP
socket server classes, or they can manually backport the
<a class="externalLink" href="https://github.com/apache/logging-log4j2/commit/5dcc192">security fix commit</a> from
2.8.2.</p></section><section>
<h3><a name="Credit"></a>Credit</h3>
<p>This issue was discovered by Marcio Almeida de Macedo of Red Team
at Telstra</p></section><section>
<h3><a name="References"></a>References</h3>
<ul>
<li><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645">CVE-2017-5645</a></li>
<li><a class="externalLink" href="https://issues.apache.org/jira/browse/LOG4J2-1863">LOG4J2-1863</a></li>
<li><a class="externalLink" href="https://github.com/apache/logging-log4j2/commit/5dcc192">Security fix commit</a></li>
</ul></section></section><section>
<h2><a name="Summary_of_security_impact_levels_for_Apache_Log4j"></a><a name="Security_Impact_Levels"></a> Summary of security impact levels for Apache Log4j</h2>
<p>The Apache Log4j Security Team rates the impact of each security flaw that affects Log4j.
We've chosen a rating scale quite similar to those used by other major vendors in order to
be consistent. Basically the goal of the rating system is to answer the question &#x201c;How worried
should I be about this vulnerability?&#x201d;.</p>
<p>Note that the rating chosen for each flaw is the worst possible case across all architectures.
To determine the exact impact of a particular vulnerability on your own systems you will still
need to read the security advisories to find out more about the flaw.</p>
<p>We use the following descriptions to decide on the impact rating to give each vulnerability:</p>
<table border="0" class="table table-striped">
<thead>
<tr class="a">
<th>Severity</th>
<th>CVSS v3 Score Range</th></tr>
</thead><tbody>
<tr class="b">
<td align="left">Critical</td>
<td>9.0 - 10.0</td></tr>
<tr class="a">
<td align="left">High</td>
<td>7.0 - 8.9</td></tr>
<tr class="b">
<td align="left">Moderate</td>
<td>4.0 - 6.9</td></tr>
<tr class="a">
<td align="left">Low</td>
<td>0.1 - 3.9</td></tr>
</tbody>
</table><section>
<h3><a name="Critical"></a>Critical</h3>
<p>A vulnerability rated with a Critical impact is one which could potentially be exploited by
a remote attacker to get Log4j to execute arbitrary code (either as the user the server is
running as, or root). These are the sorts of vulnerabilities that could be exploited automatically
by worms. Critical vulnerabilities score between 9.0 and 10.0 on the
<a class="externalLink" href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator">CVSS v3 calculator</a>.</p></section><section>
<h3><a name="High"></a>High</h3>
<p>A vulnerability rated as High impact is one which could result in the compromise of data
or availability of the server. For Log4j this includes issues that allow an easy remote denial
of service (something that is out of proportion to the attack or with a lasting consequence),
access to arbitrary files outside of the context root, or access to files that should be otherwise
prevented by limits or authentication. High vulnerabilities score between 7.0 and 8.9 on the
<a class="externalLink" href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator">CVSS v3 calculator</a>.</p></section><section>
<h3><a name="Moderate"></a>Moderate</h3>
<p>A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the
issue less of an impact. This might be because the flaw does not affect likely configurations, or
it is a configuration that isn't widely used. Moderate vulnerabilities score between 4.0 and 6.9 on the
<a class="externalLink" href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator">CVSS v3 calculator</a>.</p></section><section>
<h3><a name="Low"></a>Low</h3>
<p>All other security flaws are classed as a Low impact. This rating is used for issues that are believed
to be extremely hard to exploit, or where an exploit gives minimal consequences. Low vulnerabilities
score between 0.1 and 3.9 on the <a class="externalLink" href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator">CVSS v3 calculator</a>.</p></section></section><section>
<h2><a name="CVE_creation_process"></a><a name="cve-creation"></a> CVE creation process</h2>
<p>Found security vulnerabilities are subject to voting (by means of <a class="externalLink" href="https://logging.apache.org/guidelines.html"><i>lazy approval</i></a>, preferably) in the private <a class="externalLink" href="mailto:security@logging.apache.org">security mailing list</a> before creating a CVE and populating its associated content.
This procedure involves only the creation of CVEs and blocks neither (vulnerability) fixes, nor releases.</p></section>
</main>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row-fluid">
<p align="center">Copyright &copy; 1999-2023 <a class="external" href="https://www.apache.org">The Apache Software Foundation</a>. All Rights Reserved.<br>
Apache Logging, Apache Log4j, Log4j, Apache, the Apache feather logo, and the Apache Logging project logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
</footer>
<script>
if(anchors) {
anchors.add();
}
</script>
</body>
</html>