| <!DOCTYPE html> |
| |
| |
| <!-- |
| | Generated by Apache Maven Doxia Site Renderer 1.11.1 from target/generated-sources/site/asciidoc/security.adoc at 2024-03-06 |
| | Rendered using Apache Maven Fluido Skin 1.11.2 |
| --> |
| <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> |
| <head> |
| <meta charset="UTF-8" /> |
| <meta name="viewport" content="width=device-width, initial-scale=1" /> |
| <meta name="generator" content="Apache Maven Doxia Site Renderer 1.11.1" /> |
| <title>Log4j – </title> |
| <link rel="stylesheet" href="./css/apache-maven-fluido-1.11.2.min.css" /> |
| <link rel="stylesheet" href="./css/site.css" /> |
| <link rel="stylesheet" href="./css/print.css" media="print" /> |
| <script src="./js/apache-maven-fluido-1.11.2.min.js"></script> |
| </head> |
| <body class="topBarDisabled"> |
| <div class="container-fluid"> |
| <header> |
| <div id="banner"> |
| <div class="pull-left"><a href="../.." id="bannerLeft"><img src="images/ls-logo.jpg" alt="" style="" /></a></div> |
| <div class="pull-right"><a href="./" id="bannerRight"><img src="images/logo.png" alt="" style="" /></a></div> |
| <div class="clear"><hr/></div> |
| </div> |
| |
| <div id="breadcrumbs"> |
| <ul class="breadcrumb"> |
| <li id="publishDate">Last Published: 2024-03-06<span class="divider">|</span> |
| </li> |
| <li id="projectVersion">Version: 2.23.1</li> |
| <li class="pull-right"><span class="divider">|</span> |
| <a href="https://github.com/apache/logging-log4j2" class="externalLink" title="GitHub">GitHub</a></li> |
| <li class="pull-right"><span class="divider">|</span> |
| <a href="../../" title="Logging Services">Logging Services</a></li> |
| <li class="pull-right"><span class="divider">|</span> |
| <a href="https://www.apache.org/" class="externalLink" title="Apache">Apache</a></li> |
| <li class="pull-right"><a href="https://cwiki.apache.org/confluence/display/LOGGING/Log4j" class="externalLink" title="Logging Wiki">Logging Wiki</a></li> |
| </ul> |
| </div> |
| </header> |
| <div class="row-fluid"> |
| <header id="leftColumn" class="span2"> |
| <nav class="well sidebar-nav"> |
| <ul class="nav nav-list"> |
| <li class="nav-header"><img class="imageLink" src="img/glyphicons/home.png" alt="Apache Log4j™ 2" style="border: 0;" /> Apache Log4j™ 2</li> |
| <li><a href="index.html" title="About"><span class="none"></span>About</a></li> |
| <li><a href="download.html" title="Download"><span class="none"></span>Download</a></li> |
| <li><a href="support.html" title="Support"><span class="none"></span>Support</a></li> |
| <li><a href="maven-artifacts.html" title="Maven, Ivy, Gradle Artifacts"><span class="icon-chevron-right"></span>Maven, Ivy, Gradle Artifacts</a></li> |
| <li><a href="release-notes.html" title="Release Notes"><span class="none"></span>Release Notes</a></li> |
| <li><a href="faq.html" title="FAQ"><span class="none"></span>FAQ</a></li> |
| <li><a href="performance.html" title="Performance"><span class="icon-chevron-right"></span>Performance</a></li> |
| <li><a href="articles.html" title="Articles and Tutorials"><span class="none"></span>Articles and Tutorials</a></li> |
| <li class="active"><a><span class="icon-chevron-down"></span>Security</a> |
| <ul class="nav nav-list"> |
| <li><a href="security.html#support" title="Getting support"><span class="none"></span>Getting support</a></li> |
| <li><a href="security.html#reporting" title="Reporting vulnerabilities"><span class="none"></span>Reporting vulnerabilities</a></li> |
| <li><a href="security.html#policy" title="Vulnerability handling policy"><span class="none"></span>Vulnerability handling policy</a></li> |
| <li><a href="security.html#vdr" title="Vulnerability Disclosure Report (VDR)"><span class="none"></span>Vulnerability Disclosure Report (VDR)</a></li> |
| <li><a href="security.html#vulnerabilities" title="Known Vulnerabilities"><span class="none"></span>Known Vulnerabilities</a></li> |
| </ul></li> |
| <li class="nav-header"><img class="imageLink" src="img/glyphicons/book.png" alt="Manual" style="border: 0;" /> Manual</li> |
| <li><a href="manual/index.html" title="Introduction"><span class="none"></span>Introduction</a></li> |
| <li><a href="manual/architecture.html" title="Architecture"><span class="none"></span>Architecture</a></li> |
| <li><a href="manual/api-separation.html" title="API Separation"><span class="none"></span>API Separation</a></li> |
| <li><a href="manual/migration.html" title="Log4j 1.x Migration"><span class="icon-chevron-right"></span>Log4j 1.x Migration</a></li> |
| <li><a href="manual/api.html" title="Java API"><span class="icon-chevron-right"></span>Java API</a></li> |
| <li><a href="../kotlin" title="Kotlin API"><span class="none"></span>Kotlin API</a></li> |
| <li><a href="../scala" title="Scala API"><span class="none"></span>Scala API</a></li> |
| <li><a href="manual/configuration.html" title="Configuration"><span class="icon-chevron-right"></span>Configuration</a></li> |
| <li><a href="manual/usage.html" title="Usage"><span class="icon-chevron-right"></span>Usage</a></li> |
| <li><a href="manual/webapp.html" title="Web Applications and JSPs"><span class="icon-chevron-right"></span>Web Applications and JSPs</a></li> |
| <li><a href="manual/lookups.html" title="Lookups"><span class="icon-chevron-right"></span>Lookups</a></li> |
| <li><a href="manual/appenders.html" title="Appenders"><span class="icon-chevron-right"></span>Appenders</a></li> |
| <li><a href="manual/layouts.html" title="Layouts"><span class="icon-chevron-right"></span>Layouts</a></li> |
| <li><a href="manual/filters.html" title="Filters"><span class="icon-chevron-right"></span>Filters</a></li> |
| <li><a href="manual/async.html" title="Async Loggers"><span class="icon-chevron-right"></span>Async Loggers</a></li> |
| <li><a href="manual/garbagefree.html" title="Garbage-free Logging"><span class="icon-chevron-right"></span>Garbage-free Logging</a></li> |
| <li><a href="manual/jmx.html" title="JMX"><span class="none"></span>JMX</a></li> |
| <li><a href="manual/logsep.html" title="Logging Separation"><span class="none"></span>Logging Separation</a></li> |
| <li><a href="manual/extending.html" title="Extending Log4j"><span class="icon-chevron-right"></span>Extending Log4j</a></li> |
| <li><a href="manual/plugins.html" title="Plugins"><span class="icon-chevron-right"></span>Plugins</a></li> |
| <li><a href="manual/customconfig.html" title="Programmatic Log4j Configuration"><span class="icon-chevron-right"></span>Programmatic Log4j Configuration</a></li> |
| <li><a href="manual/customloglevels.html" title="Custom Log Levels"><span class="icon-chevron-right"></span>Custom Log Levels</a></li> |
| <li class="nav-header"><img class="imageLink" src="img/glyphicons/pencil.png" alt="For Contributors" style="border: 0;" /> For Contributors</li> |
| <li><a href="guidelines.html" title="Guidelines"><span class="none"></span>Guidelines</a></li> |
| <li><a href="javastyle.html" title="Style Guide"><span class="none"></span>Style Guide</a></li> |
| <li class="nav-header"><img class="imageLink" src="img/glyphicons/cog.png" alt="Components" style="border: 0;" /> Components</li> |
| <li><a href="log4j-api.html" title="API"><span class="none"></span>API</a></li> |
| <li><a href="log4j-jcl.html" title="Commons Logging Bridge"><span class="none"></span>Commons Logging Bridge</a></li> |
| <li><a href="log4j-1.2-api.html" title="Log4j 1.2 API"><span class="none"></span>Log4j 1.2 API</a></li> |
| <li><a href="log4j-slf4j-impl.html" title="SLF4J Binding"><span class="none"></span>SLF4J Binding</a></li> |
| <li><a href="log4j-jul.html" title="JUL Adapter"><span class="none"></span>JUL Adapter</a></li> |
| <li><a href="log4j-jpl.html" title="JDK Platform Logger"><span class="none"></span>JDK Platform Logger</a></li> |
| <li><a href="log4j-to-slf4j.html" title="Log4j 2 to SLF4J Adapter"><span class="none"></span>Log4j 2 to SLF4J Adapter</a></li> |
| <li><a href="log4j-flume-ng.html" title="Apache Flume Appender"><span class="none"></span>Apache Flume Appender</a></li> |
| <li><a href="log4j-taglib.html" title="Log4j Tag Library"><span class="none"></span>Log4j Tag Library</a></li> |
| <li><a href="log4j-jmx-gui.html" title="Log4j JMX GUI"><span class="none"></span>Log4j JMX GUI</a></li> |
| <li><a href="log4j-web.html" title="Log4j Web Application Support"><span class="none"></span>Log4j Web Application Support</a></li> |
| <li><a href="log4j-jakarta-web.html" title="Log4j Jakarta Web Application Support"><span class="none"></span>Log4j Jakarta Web Application Support</a></li> |
| <li><a href="log4j-appserver.html" title="Log4j Application Server Integration"><span class="none"></span>Log4j Application Server Integration</a></li> |
| <li><a href="log4j-couchdb.html" title="Log4j CouchDB appender"><span class="none"></span>Log4j CouchDB appender</a></li> |
| <li><a href="log4j-mongodb3.html" title="Log4j MongoDB3 appender"><span class="none"></span>Log4j MongoDB3 appender</a></li> |
| <li><a href="log4j-mongodb4.html" title="Log4j MongoDB4 appender"><span class="none"></span>Log4j MongoDB4 appender</a></li> |
| <li><a href="log4j-cassandra.html" title="Log4j Cassandra appender"><span class="none"></span>Log4j Cassandra appender</a></li> |
| <li><a href="log4j-iostreams.html" title="Log4j IO Streams"><span class="none"></span>Log4j IO Streams</a></li> |
| <li><a href="log4j-docker.html" title="Log4j Docker Support"><span class="none"></span>Log4j Docker Support</a></li> |
| <li><a href="log4j-kubernetes.html" title="Log4j Kubernetes Support"><span class="none"></span>Log4j Kubernetes Support</a></li> |
| <li><a href="log4j-spring-boot.html" title="Log4j Spring Boot"><span class="none"></span>Log4j Spring Boot</a></li> |
| <li><a href="log4j-spring-cloud-config-client.html" title="Log4j Spring Cloud Config Client"><span class="none"></span>Log4j Spring Cloud Config Client</a></li> |
| <li class="nav-header"><img class="imageLink" src="img/glyphicons/tag.png" alt="Related Projects" style="border: 0;" /> Related Projects</li> |
| <li><a href="../../chainsaw/2.x/index.html" title="Chainsaw"><span class="none"></span>Chainsaw</a></li> |
| <li><a href="../../log4cxx/latest_stable/index.html" title="Log4Cxx"><span class="none"></span>Log4Cxx</a></li> |
| <li><a href="../../log4j-audit/latest/index.html" title="Log4j Audit"><span class="none"></span>Log4j Audit</a></li> |
| <li><a href="../kotlin" title="Log4j Kotlin"><span class="none"></span>Log4j Kotlin</a></li> |
| <li><a href="../scala" title="Log4j Scala"><span class="none"></span>Log4j Scala</a></li> |
| <li><a href="../transform" title="Log4j Transform"><span class="none"></span>Log4j Transform</a></li> |
| <li><a href="../../log4net/index.html" title="Log4Net"><span class="none"></span>Log4Net</a></li> |
| <li class="nav-header"><img class="imageLink" src="img/glyphicons/link.png" alt="Legacy Sites" style="border: 0;" /> Legacy Sites</li> |
| <li><a href="../log4j-2.12.4/" title="Log4j 2.12.4 - Java 7"><span class="none"></span>Log4j 2.12.4 - Java 7</a></li> |
| <li><a href="../log4j-2.3.2/" title="Log4j 2.3.2 - Java 6"><span class="none"></span>Log4j 2.3.2 - Java 6</a></li> |
| <li><a href="../1.2/" title="Log4j 1.2 - End of Life"><span class="none"></span>Log4j 1.2 - End of Life</a></li> |
| <li class="nav-header"><img class="imageLink" src="img/glyphicons/info.png" alt="Project Information" style="border: 0;" /> Project Information</li> |
| <li><a href="team.html" title="Project Team"><span class="none"></span>Project Team</a></li> |
| <li><a href="https://www.apache.org/licenses/LICENSE-2.0" class="externalLink" title="Project License"><span class="none"></span>Project License</a></li> |
| <li><a href="https://github.com/apache/logging-log4j2" class="externalLink" title="Source Repository"><span class="none"></span>Source Repository</a></li> |
| <li><a href="runtime-dependencies.html" title="Runtime Dependencies"><span class="none"></span>Runtime Dependencies</a></li> |
| <li><a href="javadoc.html" title="Javadoc"><span class="none"></span>Javadoc</a></li> |
| <li><a href="thanks.html" title="Thanks"><span class="none"></span>Thanks</a></li> |
| </ul> |
| </nav> |
| <div class="well sidebar-nav"> |
| <div id="poweredBy"> |
| <div class="clear"></div> |
| <div class="clear"></div> |
| <div class="clear"></div> |
| <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" /></a> |
| </div> |
| </div> |
| </header> |
| <main id="bodyColumn" class="span10" > |
| <h1>Security</h1> |
| <div id="preamble"> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>The Apache Log4j Security Team takes security seriously. |
| This allows our users to place their trust in Log4j for protecting their mission-critical data. |
| In this page we will help you find guidance on security-related issues and access to known vulnerabilities.</p> |
| </div> |
| <div class="admonitionblock warning"> |
| <table> |
| <tr> |
| <td class="icon"> |
| <div class="title">Warning</div> |
| </td> |
| <td class="content"> |
| <div class="paragraph"> |
| <p><a href="http://logging.apache.org/log4j/1.x">Log4j 1</a> has <a href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">reached End of Life</a> in 2015, and is no longer supported. |
| Vulnerabilities reported after August 2015 against Log4j 1 are not checked and will not be fixed. |
| Users should <a href="manual/migration.html">upgrade to Log4j 2</a> to obtain security fixes.</p> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="support">Getting support</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>If you need help on building or configuring Log4j or other help on following the instructions to mitigate the known vulnerabilities listed here, please use our <a href="support.html#discussions">user support channels</a>.</p> |
| </div> |
| <div class="admonitionblock tip"> |
| <table> |
| <tr> |
| <td class="icon"> |
| <div class="title">Tip</div> |
| </td> |
| <td class="content"> |
| <div class="paragraph"> |
| <p>If you need to apply a source code patch, use the building instructions for the Log4j version that you are using. |
| These instructions can be found in <code>BUILDING.adoc</code> distributed with the sources.</p> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="reporting">Reporting vulnerabilities</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has a security impact, or if the descriptions here are incomplete, please report them <strong>privately</strong> to <a href="mailto:security@logging.apache.org">the Log4j Security Team</a>.</p> |
| </div> |
| <div class="admonitionblock warning"> |
| <table> |
| <tr> |
| <td class="icon"> |
| <div class="title">Warning</div> |
| </td> |
| <td class="content"> |
| <div class="paragraph"> |
| <p>The threat model that Log4j uses considers configuration files as safe input controlled by the programmer; <strong>potential vulnerabilities that require the ability to modify a configuration are not considered vulnerabilities</strong> as the required access to do so implies the attacker can execute arbitrary code.</p> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="policy">Vulnerability handling policy</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>The Apache Log4j Security Team follows the <a href="https://www.apache.org/security/committers.html">ASF Project Security</a> guide for handling security vulnerabilities.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Reported security vulnerabilities are subject to voting (by means of <a href="https://logging.apache.org/guidelines.html"><em>lazy approval</em></a>, preferably) in the private <a href="mailto:security@logging.apache.org">security mailing list</a> before creating a CVE and populating its associated content. |
| This procedure involves only the creation of CVEs and blocks neither (vulnerability) fixes, nor releases.</p> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="vdr">Vulnerability Disclosure Report (VDR)</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>Starting with version <code>2.22.0</code>, Log4j distributes <a href="https://cyclonedx.org/capabilities/vdr">CycloneDX Software Bill of Materials (SBOM)</a> along with each deployed artifact. |
| Produced SBOMs contain BOM-links referring to a <a href="https://cyclonedx.org/capabilities/vdr">CycloneDX Vulnerability Disclosure Report (VDR)</a> that Apache Logging Services uses for all projects it maintains. |
| All this is streamlined by <code>logging-parent</code>, see <a href="https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom">its website</a> for details.</p> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="vulnerabilities">Known vulnerabilities</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>The Log4j Security Team believes that accuracy, completeness and availability of security information is essential for our users. |
| We choose to pool all information on this one page, allowing easy searching for security vulnerabilities over a range of criteria.</p> |
| </div> |
| <div class="admonitionblock note"> |
| <table> |
| <tr> |
| <td class="icon"> |
| <div class="title">Note</div> |
| </td> |
| <td class="content"> |
| <div class="paragraph"> |
| <p>We adhere to <a href="https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html">the Maven version range syntax</a> while sharing versions of affected components. |
| We only extend this mathematical notation with set union operator (i.e., <code>∪</code>) to denote union of multiple ranges.</p> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| <div class="sect2"> |
| <h3 id="CVE-2021-44832"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832">CVE-2021-44832</a></h3> |
| <table class="tableblock frame-all grid-all stretch"> |
| <colgroup> |
| <col style="width: 16.6666%;"/> |
| <col style="width: 83.3334%;"/> |
| </colgroup> |
| <tbody> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">JDBC appender is vulnerable to remote code execution in certain configurations</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">6.6 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta7, 2.3.2) ∪ [2.4, 2.12.4) ∪ [2.13.0, 2.17.1)</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for Java 7), or <code>2.17.1</code> (for Java 8 and later)</p></td> |
| </tr> |
| </tbody> |
| </table> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44832-description">Description</h4> |
| <div class="paragraph"> |
| <p>An attacker with write access to the logging configuration can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. |
| This issue is fixed by limiting JNDI data source names to the <code>java</code> protocol.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44832-mitigation">Mitigation</h4> |
| <div class="paragraph"> |
| <p>Upgrade to <code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for Java 7), or <code>2.17.1</code> (for Java 8 and later).</p> |
| </div> |
| <div class="paragraph"> |
| <p>In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than <code>java</code>.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44832-references">References</h4> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832">CVE-2021-44832</a></p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="CVE-2021-45105"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105">CVE-2021-45105</a></h3> |
| <table class="tableblock frame-all grid-all stretch"> |
| <colgroup> |
| <col style="width: 16.6666%;"/> |
| <col style="width: 83.3334%;"/> |
| </colgroup> |
| <tbody> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">Infinite recursion in lookup evaluation</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">5.9 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-alpha1, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td> |
| </tr> |
| </tbody> |
| </table> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45105-description">Description</h4> |
| <div class="paragraph"> |
| <p>Log4j versions <code>2.0-alpha1</code> through <code>2.16.0</code> (excluding <code>2.3.1</code> and <code>2.12.3</code>), did not protect from uncontrolled recursion that can be implemented using self-referential lookups. |
| When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a <code>StackOverflowError</code> that will terminate the process. |
| This is also known as a <em>DoS (Denial-of-Service)</em> attack.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45105-mitigation">Mitigation</h4> |
| <div class="paragraph"> |
| <p>Upgrade to <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), or <code>2.17.0</code> (for Java 8 and later).</p> |
| </div> |
| <div class="paragraph"> |
| <p>Alternatively, this infinite recursion issue can be mitigated in configuration:</p> |
| </div> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p>In PatternLayout in the logging configuration, replace Context Lookups like <code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> with Thread Context Map patterns (<code>%X</code>, <code>%mdc</code>, or <code>%MDC</code>).</p> |
| </li> |
| <li> |
| <p>Otherwise, in the configuration, remove references to Context Lookups like <code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> where they originate |
| from sources external to the application such as HTTP headers or user input. |
| Note that this mitigation is insufficient in releases older than <code>2.12.2</code> (for Java 7), and <code>2.16.0</code> (for Java 8 and later) as the issues fixed in those releases will still be present.</p> |
| </li> |
| </ul> |
| </div> |
| <div class="paragraph"> |
| <p>Note that only the <code>log4j-core</code> JAR file is impacted by this vulnerability. |
| Applications using only the <code>log4j-api</code> JAR file without the <code>log4j-core</code> JAR file are not impacted by this vulnerability.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45105-credits">Credits</h4> |
| <div class="paragraph"> |
| <p>Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro’s Zero Day Initiative, and another anonymous vulnerability researcher.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45105-references">References</h4> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105">CVE-2021-45105</a></p> |
| </li> |
| <li> |
| <p><a href="https://issues.apache.org/jira/browse/LOG4J2-3230">LOG4J2-3230</a></p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="CVE-2021-45046"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046">CVE-2021-45046</a></h3> |
| <table class="tableblock frame-all grid-all stretch"> |
| <colgroup> |
| <col style="width: 16.6666%;"/> |
| <col style="width: 83.3334%;"/> |
| </colgroup> |
| <tbody> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">Thread Context Lookup is vulnerable to remote code execution in certain configurations</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">9.0 CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td> |
| </tr> |
| </tbody> |
| </table> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45046-description">Description</h4> |
| <div class="paragraph"> |
| <p>It was found that the fix to address <a href="#CVE-2021-44228">CVE-2021-44228</a> in Log4j <code>2.15.0</code> was incomplete in certain non-default configurations. |
| When the logging configuration uses a non-default Pattern Layout with a Thread Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with control over Thread Context Map (MDC) can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments. |
| Remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and Alpine Linux.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Note that this vulnerability is not limited to just the JNDI lookup. |
| Any other Lookup could also be included in a Thread Context Map variable and possibly have private details exposed to anyone with access to the logs.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Note that only the <code>log4j-core</code> JAR file is impacted by this vulnerability. |
| Applications using only the <code>log4j-api</code> JAR file without the <code>log4j-core</code> JAR file are not impacted by this vulnerability.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45046-mitigation">Mitigation</h4> |
| <div class="paragraph"> |
| <p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), or <code>2.17.0</code> (for Java 8 and later).</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45046-credits">Credits</h4> |
| <div class="paragraph"> |
| <p>This issue was discovered by Kai Mindermann of iC Consult and separately by 4ra1n.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Additional vulnerability details discovered independently by Ash Fox of Google, Alvaro Muñoz and Tony Torralba from GitHub, Anthony Weems of Praetorian, and RyotaK (@ryotkak).</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45046-references">References</h4> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046">CVE-2021-45046</a></p> |
| </li> |
| <li> |
| <p><a href="https://issues.apache.org/jira/browse/LOG4J2-3221">LOG4J2-3221</a></p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="CVE-2021-44228"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228">CVE-2021-44228</a></h3> |
| <table class="tableblock frame-all grid-all stretch"> |
| <colgroup> |
| <col style="width: 16.6666%;"/> |
| <col style="width: 83.3334%;"/> |
| </colgroup> |
| <tbody> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">JNDI lookup can be exploited to execute arbitrary code loaded from an LDAP server</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td> |
| </tr> |
| </tbody> |
| </table> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44228-description">Description</h4> |
| <div class="paragraph"> |
| <p>In Log4j, the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. |
| An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Note that only the <code>log4j-core</code> JAR file is impacted by this vulnerability. |
| Applications using only the <code>log4j-api</code> JAR file without the <code>log4j-core</code> JAR file are not impacted by this vulnerability.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44228-mitigation">Mitigation</h4> |
| <div class="sect4"> |
| <h5 id="CVE-2021-44228-mitigation-log4j1">Log4j 1 mitigation</h5> |
| <div class="admonitionblock warning"> |
| <table> |
| <tr> |
| <td class="icon"> |
| <div class="title">Warning</div> |
| </td> |
| <td class="content"> |
| <div class="paragraph"> |
| <p><a href="http://logging.apache.org/log4j/1.x">Log4j 1</a> has <a href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">reached End of Life</a> in 2015, and is no longer supported. |
| Vulnerabilities reported after August 2015 against Log4j 1 are not checked and will not be fixed. |
| Users should <a href="manual/migration.html">upgrade to Log4j 2</a> to obtain security fixes.</p> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| <div class="paragraph"> |
| <p>Log4j 1 does not have Lookups, so the risk is lower. |
| Applications using Log4j 1 are only vulnerable to this attack when they use JNDI in their configuration. |
| A separate CVE (<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-4104">CVE-2021-4104</a>) has been filed for this vulnerability. |
| To mitigate, audit your logging configuration to ensure it has no <code>JMSAppender</code> configured. |
| Log4j 1 configurations without <code>JMSAppender</code> are not impacted by this vulnerability.</p> |
| </div> |
| </div> |
| <div class="sect4"> |
| <h5 id="CVE-2021-44228-mitigation-log4j2">Log4j 2 mitigation</h5> |
| <div class="paragraph"> |
| <p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), or <code>2.17.0</code> (for Java 8 and later).</p> |
| </div> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44228-credits">Credits</h4> |
| <div class="paragraph"> |
| <p>This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44228-references">References</h4> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228">CVE-2021-44228</a></p> |
| </li> |
| <li> |
| <p><a href="https://issues.apache.org/jira/browse/LOG4J2-3198">LOG4J2-3198</a></p> |
| </li> |
| <li> |
| <p><a href="https://issues.apache.org/jira/browse/LOG4J2-3201">LOG4J2-3201</a></p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="CVE-2020-9488"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488">CVE-2020-9488</a></h3> |
| <table class="tableblock frame-all grid-all stretch"> |
| <colgroup> |
| <col style="width: 16.6666%;"/> |
| <col style="width: 83.3334%;"/> |
| </colgroup> |
| <tbody> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">Improper validation of certificate with host mismatch in SMTP appender</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">3.7 LOW (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta1, 2.12.3) ∪ [2.13.1, 2.13.2)</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.12.3</code> (Java 7) and <code>2.13.2</code> (Java 8 and later)</p></td> |
| </tr> |
| </tbody> |
| </table> |
| <div class="sect3"> |
| <h4 id="CVE-2020-9488-description">Description</h4> |
| <div class="paragraph"> |
| <p>Improper validation of certificate with host mismatch in SMTP appender. |
| This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log |
| messages sent through that appender.</p> |
| </div> |
| <div class="paragraph"> |
| <p>The reported issue was caused by an error in <code>SslConfiguration</code>. |
| Any element using <code>SslConfiguration</code> in the Log4j <code>Configuration</code> is also affected by this issue. |
| This includes <code>HttpAppender</code>, <code>SocketAppender</code>, and <code>SyslogAppender</code>. |
| Usages of <code>SslConfiguration</code> that are configured via system properties are not affected.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2020-9488-mitigation">Mitigation</h4> |
| <div class="paragraph"> |
| <p>Upgrade to <code>2.12.3</code> (Java 7) or <code>2.13.2</code> (Java 8 and later).</p> |
| </div> |
| <div class="paragraph"> |
| <p>Alternatively, users can set the <code>mail.smtp.ssl.checkserveridentity</code> system property to <code>true</code> to enable SMTPS hostname verification for all SMTPS mail sessions.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2020-9488-credits">Credits</h4> |
| <div class="paragraph"> |
| <p>This issue was discovered by Peter Stöckli.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2020-9488-references">References</h4> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488">CVE-2020-9488</a></p> |
| </li> |
| <li> |
| <p><a href="https://issues.apache.org/jira/browse/LOG4J2-2819">LOG4J2-2819</a></p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="CVE-2017-5645"><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645">CVE-2017-5645</a></h3> |
| <table class="tableblock frame-all grid-all stretch"> |
| <colgroup> |
| <col style="width: 16.6666%;"/> |
| <col style="width: 83.3334%;"/> |
| </colgroup> |
| <tbody> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">TCP/UDP socket servers can be exploited to execute arbitrary code</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 2.0 Score & Vector</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">7.5 HIGH (AV:N/AC:L/Au:N/C:P/I:P/A:P)</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-alpha1, 2.8.2)</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.8.2</code> (Java 7)</p></td> |
| </tr> |
| </tbody> |
| </table> |
| <div class="sect3"> |
| <h4 id="CVE-2017-5645-description">Description</h4> |
| <div class="paragraph"> |
| <p>When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2017-5645-mitigation">Mitigation</h4> |
| <div class="paragraph"> |
| <p>Java 7 and above users should migrate to version <code>2.8.2</code> or avoid using the socket server classes. |
| Java 6 users should avoid using the TCP or UDP socket server classes, or they can manually backport <a href="https://github.com/apache/logging-log4j2/commit/5dcc192">the security fix commit</a> from <code>2.8.2</code>.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2017-5645-credits">Credits</h4> |
| <div class="paragraph"> |
| <p>This issue was discovered by Marcio Almeida de Macedo of Red Team at Telstra.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2017-5645-references">References</h4> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645">CVE-2017-5645</a></p> |
| </li> |
| <li> |
| <p><a href="https://issues.apache.org/jira/browse/LOG4J2-1863">LOG4J2-1863</a></p> |
| </li> |
| <li> |
| <p><a href="https://github.com/apache/logging-log4j2/commit/5dcc192">Security fix commit</a></p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| </div> |
| </div> |
| </main> |
| </div> |
| </div> |
| <hr/> |
| <footer> |
| <div class="container-fluid"> |
| <div class="row-fluid"> |
| <p align="center">Copyright © 1999-2024 <a class="external" href="https://www.apache.org">The Apache Software Foundation</a>. All Rights Reserved.<br> |
| Apache Logging, Apache Log4j, Log4j, Apache, the Apache feather logo, and the Apache Logging project logo are trademarks of The Apache Software Foundation.</p> |
| </div> |
| </div> |
| </footer> |
| <script> |
| if(anchors) { |
| anchors.add(); |
| } |
| </script> |
| </body> |
| </html> |