| <?xml version="1.0"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| <document xmlns="http://maven.apache.org/XDOC/2.0" |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd"> |
| <properties> |
| <title>Log4j 2 Guide</title> |
| <author email="rgoers@apache.org">Ralph Goers</author> |
| <author email="ggregory@apache.org">Gary Gregory</author> |
| <author email="sdeboy@apache.org">Scott Deboy</author> |
| </properties> |
| |
| <body> |
| |
| <a name="CVE-2021-44832"/> |
| <h2>Important: Security Vulnerability CVE-2021-44832</h2> |
| |
| Summary: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration. |
| |
| <h4>Details</h4> |
| |
| Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to |
| a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can |
| construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute |
| remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, |
| 2.12.4, and 2.3.2. |
| |
| <h4>Mitigation</h4> |
| Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later) |
| |
| <h4>Reference</h4> |
| Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832">Security Page</a> |
| for details and mitigation measures for older versions of Log4j. |
| |
| <a name="CVE-2021-45105"/> |
| <h2>Important: Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228</h2> |
| |
| Please refer to the <a href="https://logging.apache.org/log4j/2.x/security.html">Security Page</a> for details |
| and mitigation measures for these security issues. |
| |
| <section name="Apache Log4j 2"> |
| |
| <p> |
| Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j |
| 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in |
| Logback's architecture. |
| </p> |
| |
| <p>Some of the features and improvements in Log4j 2 are:</p> |
| |
| <dl> |
| <dt>API Separation</dt> |
| <dd> |
| The API for Log4j is separate from the implementation making it clear for application developers |
| which classes and methods they can use while ensuring forward compatibility. This allows the |
| Log4j team to improve the implementation safely and in a compatible manner. |
| </dd> |
| <dt>Improved Performance</dt> |
| <dd> |
| Log4j 2 contains next-generation Asynchronous Loggers based |
| on the LMAX Disruptor library. In multi-threaded scenarios |
| Asynchronous Loggers have 18 times higher throughput and |
| orders of magnitude lower latency than Log4j 1.x and Logback. |
| See <a href="manual/async.html#Performance">Asynchronous Logging Performance</a> |
| for details. |
| Otherwise, Log4j 2 performs faster than Log4j 1.x in critical areas |
| and similarly to Logback under most circumstances. |
| See <a href="performance.html">Performance</a> for more information. |
| </dd> |
| <dt>Support for multiple APIs</dt> |
| <dd> |
| While the Log4j 2 API will provide the best performance, Log4j 2 provides support for the SLF4J and |
| Commons Logging APIs. |
| </dd> |
| <dt>Automatic Reloading of Configurations</dt> |
| <dd> |
| Like Logback, Log4j 2 can automatically reload its configuration upon modification. Unlike Logback, |
| it will do so without losing log events while reconfiguration is taking place. |
| </dd> |
| <dt>Advanced Filtering</dt> |
| <dd> |
| Like Logback, Log4j 2 supports filtering based on context data, markers, regular expressions, |
| and other components in the Log event. Filtering can be specified to apply to all events |
| before being passed to Loggers or as they pass through Appenders. In addition, filters can also |
| be associated with Loggers. Unlike Logback, you can use a common Filter class in any of these |
| circumstances. |
| </dd> |
| <dt>Plugin Architecture</dt> |
| <dd> |
| Log4j uses the plugin pattern to configure components. As such, you do not need to write code |
| to create and configure an Appender, Layout, Pattern Converter, and so on. Log4j automatically |
| recognizes plugins and uses them when a configuration references them. |
| </dd> |
| <dt>Property Support</dt> |
| <dd> |
| You can reference properties in a configuration, Log4j will directly replace them, or Log4j will |
| pass them to an underlying component that will dynamically resolve them. Properties come from values |
| defined in the configuration file, system properties, environment variables, the ThreadContext |
| Map, and data present in the event. Users can further customize the property providers by |
| adding their own <a href="manual/lookups.html">Lookup</a> Plugin. |
| </dd> |
| </dl> |
| |
| <subsection name="Documentation"> |
| <p> |
| The Log4j 2 User's Guide is available on this <a href="manual/index.html">site</a> or as a downloadable |
| <a href="log4j-users-guide.pdf">PDF</a>. |
| </p> |
| </subsection> |
| |
| <subsection name="Requirements"> |
| <p> |
| Log4j 2 requires Java 6. |
| Some features require optional dependencies; the documentation for these features specifies the |
| dependencies. |
| </p> |
| </subsection> |
| |
| <subsection name="News"> |
| <p> |
| Log4j 2 is now available for production. The API for Log4j 2 is not compatible with Log4j 1.x, however an adapter |
| is available to allow applications to continue to use the Log4j 1.x API. Adapters are also available for |
| Apache Commons Logging and SLF4J. |
| </p> |
| </subsection> |
| </section> |
| </body> |
| </document> |
| |