src/site/xdoc/index.xml - logging-log4j2 - Git at Google

 <?xml version="1.0"?>
 <!--
     Licensed to the Apache Software Foundation (ASF) under one or more
     contributor license agreements.  See the NOTICE file distributed with
     this work for additional information regarding copyright ownership.
     The ASF licenses this file to You under the Apache License, Version 2.0
     (the "License"); you may not use this file except in compliance with
     the License.  You may obtain a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

     Unless required by applicable law or agreed to in writing, software
     distributed under the License is distributed on an "AS IS" BASIS,
     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     See the License for the specific language governing permissions and
     limitations under the License.
 -->

 <document xmlns="http://maven.apache.org/XDOC/2.0"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd">
     <properties>
         <title>Log4j 2 Guide</title>
         <author email="rgoers@apache.org">Ralph Goers</author>
         <author email="ggregory@apache.org">Gary Gregory</author>
         <author email="sdeboy@apache.org">Scott Deboy</author>
     </properties>

     <body>

       <a name="CVE-2021-45105"/>
       <h2>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>

       <p>The Log4j team has been made aware of multiple security vulnerabilities, CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228,
         that have been addressed in Log4j 2.3.1 for Java 6.
         The same vulnerabilities have been addressed in Log4j 2.12.3 for Java 7, and in
         Log4j 2.17.0 for Java 8 and up.</p>

       <h3>CVE-2021-45105</h3>
       <p>Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.</p>

       <h4>Details</h4>
       <p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.
         When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>),
         attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup,
         resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.</p>

       <h4>Mitigation</h4>
       <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>

       <h4>Reference</h4>
       <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">Security page</a> for details and mitigation measures for older versions of Log4j.</p>


       <a name="CVE-2021-45046"/>
       <h3>CVE-2021-45046</h3>

       <p>Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.</p>

       <h4>Details</h4>
       <p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
         When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>),
         attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern,
         resulting in an information leak and remote code execution in some environments and local code execution in all environments;
         remote code execution has been demonstrated on macOS but no other tested environments.</p>

       <h4>Mitigation</h4>
       <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>

       <h4>Reference</h4>
       <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046">Security page</a> for details and mitigation measures for older versions of Log4j.</p>


       <a name="CVE-2021-44228"/>
       <h3>CVE-2021-44228</h3>

       <p>Summary:
         Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code
         execution.</p>

       <h4>Details</h4>
       <p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages.
         This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server,
         then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from
         that remote server. This in turn could execute any code during deserialization.
         This is known as a RCE (Remote Code Execution) attack.</p>

       <h4>Mitigation</h4>
       <p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>

       <h4>Reference</h4>
       <p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228">Security page</a> for details and mitigation measures for older versions of Log4j.</p>

       <section name="Apache Log4j 2">

           <p>
             Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j
             1.x, and provides many of the improvements available in Logback while fixing some inherent problems in
             Logback's architecture.
           </p>

           <p>Some of the features and improvements in Log4j 2 are:</p>

           <dl>
             <dt>API Separation</dt>
             <dd>
               The API for Log4j is separate from the implementation making it clear for application developers
               which classes and methods they can use while ensuring forward compatibility. This allows the
               Log4j team to improve the implementation safely and in a compatible manner.
             </dd>
             <dt>Improved Performance</dt>
             <dd>
               Log4j 2 contains next-generation Asynchronous Loggers based
               on the LMAX Disruptor library. In multi-threaded scenarios
               Asynchronous Loggers have 18 times higher throughput and
               orders of magnitude lower latency than Log4j 1.x and Logback.
               See <a href="manual/async.html#Performance">Asynchronous Logging Performance</a>
               for details.
               Otherwise, Log4j 2 performs faster than Log4j 1.x in critical areas
               and similarly to Logback under most circumstances.
               See <a href="performance.html">Performance</a> for more information.
             </dd>
             <dt>Support for multiple APIs</dt>
             <dd>
               While the Log4j 2 API will provide the best performance, Log4j 2 provides support for the SLF4J and
               Commons Logging APIs.
             </dd>
             <dt>Automatic Reloading of Configurations</dt>
             <dd>
               Like Logback, Log4j 2 can automatically reload its configuration upon modification. Unlike Logback,
               it will do so without losing log events while reconfiguration is taking place.
             </dd>
             <dt>Advanced Filtering</dt>
             <dd>
               Like Logback, Log4j 2 supports filtering based on context data, markers, regular expressions,
               and other components in the Log event. Filtering can be specified to apply to all events
               before being passed to Loggers or as they pass through Appenders. In addition, filters can also
               be associated with Loggers. Unlike Logback, you can use a common Filter class in any of these
               circumstances.
             </dd>
             <dt>Plugin Architecture</dt>
             <dd>
               Log4j uses the plugin pattern to configure components. As such, you do not need to write code
               to create and configure an Appender, Layout, Pattern Converter, and so on. Log4j automatically
               recognizes plugins and uses them when a configuration references them.
             </dd>
             <dt>Property Support</dt>
             <dd>
               You can reference properties in a configuration, Log4j will directly replace them, or Log4j will
               pass them to an underlying component that will dynamically resolve them. Properties come from values
               defined in the configuration file, system properties, environment variables, the ThreadContext
               Map, and data present in the event. Users can further customize the property providers by
               adding their own <a href="manual/lookups.html">Lookup</a> Plugin.
             </dd>
           </dl>

           <subsection name="Documentation">
             <p>
               The Log4j 2 User's Guide is available on this <a href="manual/index.html">site</a> or as a downloadable
               <a href="log4j-users-guide.pdf">PDF</a>.
             </p>
           </subsection>

           <subsection name="Requirements">
              <p>
                Log4j 2 requires Java 6.
                Some features require optional dependencies; the documentation for these features specifies the
                dependencies.
             </p>
           </subsection>

           <subsection name="News">
             <p>
               Log4j 2 is now available for production. The API for Log4j 2 is not compatible with Log4j 1.x, however an adapter
               is available to allow applications to continue to use the Log4j 1.x API. Adapters are also available for
               Apache Commons Logging and SLF4J.
             </p>
           </subsection>
         </section>
     </body>
 </document>
	<?xml version="1.0"?>
	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->

	<document xmlns="http://maven.apache.org/XDOC/2.0"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd">
	<properties>
	<title>Log4j 2 Guide</title>
	<author email="rgoers@apache.org">Ralph Goers</author>
	<author email="ggregory@apache.org">Gary Gregory</author>
	<author email="sdeboy@apache.org">Scott Deboy</author>
	</properties>

	<body>

	<a name="CVE-2021-45105"/>
	<h2>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2>

	<p>The Log4j team has been made aware of multiple security vulnerabilities, CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228,
	that have been addressed in Log4j 2.3.1 for Java 6.
	The same vulnerabilities have been addressed in Log4j 2.12.3 for Java 7, and in
	Log4j 2.17.0 for Java 8 and up.</p>

	<h3>CVE-2021-45105</h3>
	<p>Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.</p>

	<h4>Details</h4>
	<p>Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.
	When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>),
	attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup,
	resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.</p>

	<h4>Mitigation</h4>
	<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>

	<h4>Reference</h4>
	<p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105">Security page</a> for details and mitigation measures for older versions of Log4j.</p>


	<a name="CVE-2021-45046"/>
	<h3>CVE-2021-45046</h3>

	<p>Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.</p>

	<h4>Details</h4>
	<p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
	When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>),
	attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern,
	resulting in an information leak and remote code execution in some environments and local code execution in all environments;
	remote code execution has been demonstrated on macOS but no other tested environments.</p>

	<h4>Mitigation</h4>
	<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>

	<h4>Reference</h4>
	<p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046">Security page</a> for details and mitigation measures for older versions of Log4j.</p>


	<a name="CVE-2021-44228"/>
	<h3>CVE-2021-44228</h3>

	<p>Summary:
	Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code
	execution.</p>

	<h4>Details</h4>
	<p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages.
	This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server,
	then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from
	that remote server. This in turn could execute any code during deserialization.
	This is known as a RCE (Remote Code Execution) attack.</p>

	<h4>Mitigation</h4>
	<p>Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8).</p>

	<h4>Reference</h4>
	<p>Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228">Security page</a> for details and mitigation measures for older versions of Log4j.</p>

	<section name="Apache Log4j 2">

	<p>
	Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j
	1.x, and provides many of the improvements available in Logback while fixing some inherent problems in
	Logback's architecture.
	</p>

	<p>Some of the features and improvements in Log4j 2 are:</p>

	<dl>
	<dt>API Separation</dt>
	<dd>
	The API for Log4j is separate from the implementation making it clear for application developers
	which classes and methods they can use while ensuring forward compatibility. This allows the
	Log4j team to improve the implementation safely and in a compatible manner.
	</dd>
	<dt>Improved Performance</dt>
	<dd>
	Log4j 2 contains next-generation Asynchronous Loggers based
	on the LMAX Disruptor library. In multi-threaded scenarios
	Asynchronous Loggers have 18 times higher throughput and
	orders of magnitude lower latency than Log4j 1.x and Logback.
	See <a href="manual/async.html#Performance">Asynchronous Logging Performance</a>
	for details.
	Otherwise, Log4j 2 performs faster than Log4j 1.x in critical areas
	and similarly to Logback under most circumstances.
	See <a href="performance.html">Performance</a> for more information.
	</dd>
	<dt>Support for multiple APIs</dt>
	<dd>
	While the Log4j 2 API will provide the best performance, Log4j 2 provides support for the SLF4J and
	Commons Logging APIs.
	</dd>
	<dt>Automatic Reloading of Configurations</dt>
	<dd>
	Like Logback, Log4j 2 can automatically reload its configuration upon modification. Unlike Logback,
	it will do so without losing log events while reconfiguration is taking place.
	</dd>
	<dt>Advanced Filtering</dt>
	<dd>
	Like Logback, Log4j 2 supports filtering based on context data, markers, regular expressions,
	and other components in the Log event. Filtering can be specified to apply to all events
	before being passed to Loggers or as they pass through Appenders. In addition, filters can also
	be associated with Loggers. Unlike Logback, you can use a common Filter class in any of these
	circumstances.
	</dd>
	<dt>Plugin Architecture</dt>
	<dd>
	Log4j uses the plugin pattern to configure components. As such, you do not need to write code
	to create and configure an Appender, Layout, Pattern Converter, and so on. Log4j automatically
	recognizes plugins and uses them when a configuration references them.
	</dd>
	<dt>Property Support</dt>
	<dd>
	You can reference properties in a configuration, Log4j will directly replace them, or Log4j will
	pass them to an underlying component that will dynamically resolve them. Properties come from values
	defined in the configuration file, system properties, environment variables, the ThreadContext
	Map, and data present in the event. Users can further customize the property providers by
	adding their own <a href="manual/lookups.html">Lookup</a> Plugin.
	</dd>
	</dl>

	<subsection name="Documentation">
	<p>
	The Log4j 2 User's Guide is available on this <a href="manual/index.html">site</a> or as a downloadable
	<a href="log4j-users-guide.pdf">PDF</a>.
	</p>
	</subsection>

	<subsection name="Requirements">
	<p>
	Log4j 2 requires Java 6.
	Some features require optional dependencies; the documentation for these features specifies the
	dependencies.
	</p>
	</subsection>

	<subsection name="News">
	<p>
	Log4j 2 is now available for production. The API for Log4j 2 is not compatible with Log4j 1.x, however an adapter
	is available to allow applications to continue to use the Log4j 1.x API. Adapters are also available for
	Apache Commons Logging and SLF4J.
	</p>
	</subsection>
	</section>
	</body>
	</document>