Google Git
Sign in
apache / logging-log4j1 / e6369fbcf94ac28d233855da0466f4628f247382^! / .
commite6369fbcf94ac28d233855da0466f4628f247382[log] [tgz]
authorMatt Sicker <mattsicker@apache.org>Mon Jan 17 15:55:57 2022 -0600
committerMatt Sicker <mattsicker@apache.org>Mon Jan 17 15:55:57 2022 -0600
tree2bd80d53dfa6d87ca8d40321deee788bd368d909
parent0cde9dd3ebcc71e588e859ac7a9217a08e5659ef [diff]
Add table of unfixed CVEs

diff --git a/README.md b/README.md
index 2f7175c..15d13e6 100644
--- a/README.md
+++ b/README.md

@@ -1,3 +1,5 @@
+# Apache Log4j 1
+
 Dear Log4j community,
 
 While working on the December 2021 Apache Log4j 2 releases the Apache
@@ -84,6 +86,21 @@
 code. We welcome community contributions in the migration components
 for better tooling and support.
 
+## Unfixed Vulnerabilities
+
+Several security vulnerabilities have been discovered in Log4j 1.x
+since it was declared end of life. The following table lists the
+CVEs published about these issues.
+
+| Severity | CVE | Summary |
+|----------|-----|---------|
+| High | [CVE-2019-17571](https://www.cve.org/CVERecord?id=CVE-2019-17571) | SocketServer is vulnerable to a remote code execution vulnerability when an attacker can craft malicious serialized log events and send them to a listening SocketServer instance. |
+| Moderate | [CVE-2020-9488](https://www.cve.org/CVERecord?id=CVE-2020-9488) | SMTPAppender is vulnerable to a man-in-the-middle attack when using SMTPS due to lack of hostname verification in the TLS certificate. |
+| High | [CVE-2021-4104](https://www.cve.org/CVERecord?id=CVE-2021-4104) | JMSAppender is vulnerable to a remote code execution vulnerability when an attacker controls either the configuration file or target LDAP server used for setting the TopicBindingName and TopicConnectionFactoryBindingName configurations. |
+| High | [CVE-2022-23302](https://www.cve.org/CVERecord?id=CVE-2022-23302) | JMSSink is vulnerable to a remotecode execution vulnerability when an attacker controls either the configuration file or target LDAP server used for setting the TopicConnectionFactoryBindingName configurations. |
+| High | [CVE-2022-23305](https://www.cve.org/CVERecord?id=CVE-2022-23305) | JDBCAppender is vulnerable to a SQL injection vulnerability when an attacker can craft a malicious log message written to a JDBCAppender. |
+| Critical | [CVE-2022-23307](https://www.cve.org/CVERecord?id=CVE-2022-23307) | Chainsaw versions bundled with Log4j prior to Chainsaw 2.1.0 are vulnerable to a remote code execution vulnerability when an attacker sends malicious serialized log events. See also [CVE-2020-9493](https://www.cve.org/CVERecord?id=CVE-2020-9493) for the CVE affecting the standalone version of Apache Chainsaw. |
+
 
 Regards,<br />
 Ron