| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
| <title>Apache Logging Services</title> |
| |
| <link href="/css/asciidoctor-default.css" rel="stylesheet" type="text/css" /> |
| <link href="/css/bootstrap.min.css" rel="stylesheet" type="text/css" /> |
| <link href="/css/site.css?version=20231214" rel="stylesheet" type="text/css" /> |
| |
| <script src="/js/jquery.min.js"></script> |
| <script src="/js/bootstrap.min.js"></script> |
| <script src="/js/site.js"></script> |
| <link rel="alternate" type="application/rss+xml" title="ASF Loggin Services" href="/feed.xml"> |
| </head> |
| |
| |
| <body> |
| <div class="navbar"> |
| <div class="navbar-inner"> |
| <div class="container"> |
| <a class="brand" href="/">Apache Logging Services™</a> |
| <ul class="nav"> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">About<b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="/guidelines.html">Guidelines</a></li> |
| <li><a href="/charter.html">Charter</a></li> |
| <li><a href="/team-list.html">Team</a></li> |
| <li><a href="/processes.html">Retirement Processes</a> |
| <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> |
| <li><a href="/what-is-logging.html">What is logging?</a></li> |
| <li><a href="/activity-monitor">Activity monitor</a></li> |
| </ul> |
| </li> |
| </ul> |
| <ul class="nav"> |
| <li><a href="/download.html">Download</a></li> |
| </ul> |
| <ul class="nav"> |
| <li><a href="/support.html">Support</a></li> |
| </ul> |
| <ul class="nav"> |
| <li><a href="/security.html">Security</a></li> |
| </ul> |
| <ul class="nav"> |
| <li><a href="/xml/ns">XML Schemas</a></li> |
| </ul> |
| <ul class="nav pull-right"> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a target="_blank" href="https://www.apache.org/">Home</a></li> |
| <li><a target="_blank" href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> |
| <li><a target="_blank" href="https://www.apache.org/licenses/">License</a></li> |
| <li><a target="_blank" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li> |
| <li><a target="_blank" href="https://www.apache.org/events/current-event.html">Current Events</a></li> |
| <li><a target="_blank" href="https://www.apache.org/security/">Security</a></li> |
| <li><a target="_blank" href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy</a></li> |
| </ul> |
| </li> |
| </ul> |
| <ul class="nav pull-right"> |
| <li><a href="/blog">Blog</a></li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| |
| |
| <div class="container"> |
| <div class="content"> |
| <div id="preamble"> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>The Logging Services Security Team takes security seriously. |
| This allows our users to place their trust in Log4j for protecting their mission-critical data. |
| In this page we will help you find guidance on security-related issues and access to known vulnerabilities.</p> |
| </div> |
| <div class="admonitionblock warning"> |
| <table> |
| <tr> |
| <td class="icon"> |
| <div class="title">Warning</div> |
| </td> |
| <td class="content"> |
| <div class="paragraph"> |
| <p><a href="/log4j/1.x">Log4j 1</a> has <a href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">reached End of Life</a> in 2015, and is no longer supported. |
| Vulnerabilities reported after August 2015 against Log4j 1 are not checked and will not be fixed. |
| Users should <a href="/log4j/2.x/manual/migration.html">upgrade to Log4j 2</a> to obtain security fixes.</p> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="support">Getting support</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>If you need help on building or configuring Logging Services projects or other help on following the instructions to mitigate the known vulnerabilities listed here, please use our <a href="support.html#discussions">user support channels</a>.</p> |
| </div> |
| <div class="admonitionblock tip"> |
| <table> |
| <tr> |
| <td class="icon"> |
| <div class="title">Tip</div> |
| </td> |
| <td class="content"> |
| <div class="paragraph"> |
| <p>If you need to apply a source code patch, use the building instructions for the project version that you are using. |
| These instructions can be found in <code>BUILDING.adoc</code>, <code>BUILDING.md</code>, etc. files distributed with the sources.</p> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="reporting">Reporting vulnerabilities</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has a security impact, or if the descriptions here are incomplete, please report them <strong>privately</strong> to <a href="mailto:security@logging.apache.org">the Logging Services Security Team</a>.</p> |
| </div> |
| <div class="admonitionblock important"> |
| <table> |
| <tr> |
| <td class="icon"> |
| <div class="title">Important</div> |
| </td> |
| <td class="content"> |
| <div class="paragraph"> |
| <p>We urge you to <strong>carefully read the threat model</strong> detailed in following sections before submitting a report. |
| It guides users on certain safety instructions while using Logging Services software and elaborates on what counts as an unexpected behaviour that has a security impact.</p> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| <div class="sect2"> |
| <h3 id="threat-common">Common threat model</h3> |
| <div class="paragraph"> |
| <p>Below we share the threat model shared by all Logging Services projects.</p> |
| </div> |
| <div class="sect3"> |
| <h4 id="threat-common-code-signing">Code signing</h4> |
| <div class="paragraph"> |
| <p>All Logging Services software release distributions are signed using GPG using a key from the Logging Services PMC <a href="https://downloads.apache.org/logging/KEYS">KEYS file</a>. |
| Information on how to verify releases signatures are explained further in <a href="download.html">the Download page</a>. |
| Thus, GPG signatures should be validated in your build process.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="threat-common-config-sources">Configuration sources</h4> |
| <div class="paragraph"> |
| <p>All configuration sources to an application must be trusted by the programmer. |
| When loading a configuration file from disk (especially when a monitor interval is configured to reload the file periodically), the location of the configuration file must be kept safe from unauthorized modifications. |
| Similarly, when loading a configuration file over the network such as through HTTP, this should be configured to use TLS or a secure connection in general with strong authentication guarantees. |
| This remote location must be kept safe from unauthorized modifications. |
| When configurations are modified through JMX, the JMX server should be safely configured to require authentication and a secure connection if being accessed over the network. |
| When configurations are provided through JNDI, these should only use the <code>java</code> scheme for sharing configurations in a Java EE or Jakarta EE application service. |
| JNDI-sourced configurations should not use other JNDI providers such as LDAP, DNS, or RMI, as all these providers are difficult to properly secure.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="threat-common-java-serialization">Java Object Serialization Stream Protocol</h4> |
| <div class="paragraph"> |
| <p><a href="https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html">Java Object Serialization Stream Protocol</a> should not be used to deserialize data from untrusted sources. |
| See <a href="https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data">the related OWASP guide</a> for details.</p> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="threat-log4j">Log4j threat model</h3> |
| <div class="paragraph"> |
| <p>Below we share the threat model specific to <a href="/log4j">Log4j</a>.</p> |
| </div> |
| <div class="sect3"> |
| <h4 id="threat-log4j-parametrized-logging">Parameterized logging</h4> |
| <div class="paragraph"> |
| <p>When using a log message containing template parameters like <code>{}</code>, only the format string is evaluated for parameters to be substituted. |
| The message parameters themselves are not evaluated for parameters; they are only included in the format string corresponding to their template position. |
| The conversion of message parameters into a string is done on-demand depending on the layout being used. |
| When structure-preserving transformations of log message data are required, the <code>Message</code> API should be used for logging structured data combined with a structured layout (e.g., <code>JsonTemplateLayout</code>). |
| Format strings should be compile-time constants, and under no circumstances should format strings be built using user-controlled input data.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="threat-log4j-unstructured-logging">Unstructured logging</h4> |
| <div class="paragraph"> |
| <p>When using an unstructured layout such as <code>PatternLayout</code>, no guarantees can be made about the output format. |
| This layout is mainly useful for development purposes and should not be relied on in production applications. |
| For example, if a log message contains new lines, these are not escaped or encoded specially unless the configured pattern uses the <code>%encode{pattern}{CRLF}</code> wrapper pattern converter (which will encode a carriage return as the string <code>\r</code> and a line feed as the string <code>\n</code>) or some other <code>%encode</code> option. |
| Note that <code>%xEx</code> is appended to the pattern unless already present. |
| Similarly, other encoding options are available for other formats, but pattern layouts cannot make assumptions about the entire output. |
| As such, when using unstructured layouts, no user-controlled input should be included in logs. |
| It is strongly recommended that a structured layout (e.g., <code>JsonTemplateLayout</code>) is used instead for these situations. |
| Note that <code>StrLookup</code> plugins (those referenced by <code>${…​}</code> templates in configuration files) that contain user-provided input should not be referenced by layouts.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="threat-log4j-structured-logging">Structured logging</h4> |
| <div class="paragraph"> |
| <p>When using a structured layout (most layouts besides pattern layout), log messages are encoded according to various output formats. |
| These safely encode the various fields included in a log message. |
| For example, the <code>JsonTemplateLayout</code> can be configured to output log messages in various JSON structures where all log data is properly encoded into safely parseable JSON. |
| This is the recommended mode of operation for use with log parsing and log collection tools that rely on log files or arbitrary output streams.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="threat-log4j-java-security-manager">Java Security Manager</h4> |
| <div class="paragraph"> |
| <p>Log4j 3 no longer supports running in or using a custom <code>SecurityManager</code>. |
| This Java feature has been deprecated for removal in Java 21. |
| Log4j 2 includes partial support for running with a Security Manager.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="threat-log4j-log-masking">Log masking</h4> |
| <div class="paragraph"> |
| <p>Log4j, like any other generic logging library, cannot generically support log masking of sensitive data. |
| While custom plugins may be developed to attempt to mask various regular expressions (such as a string that looks like a credit card number), the general problem of log masking is equivalent to the halting problem in computer science where sensitive data can always be obfuscated in such a way as to avoid detection by log masking. |
| As such, it is the responsibility of the developer to properly demarcate sensitive data such that it can be consistently masked by log masking plugins. |
| This sort of use case should make use of the <code>Message</code> API for better control over the output of such data.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="threat-log4j-availability">Availability</h4> |
| <div class="paragraph"> |
| <p>Log4j goes to great lengths to minimize performance overhead along with options for minimizing latency or maximizing throughput. |
| However, we cannot guarantee availability of the application if the appenders cannot keep up with the logs being written. |
| Synchronous logging can cause applications to block and wait for a log message to be written. |
| Asynchronous logging can also cause applications to block and wait depending on the wait strategy and queue full policy configured. |
| Configuring too large or too many buffers in an application can also result in out of memory errors.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="threat-log4j-compressing-logs">Compressing logs</h4> |
| <div class="paragraph"> |
| <p>If log compression is used along with custom encryption where logs contain user-controlled input, then this can lead to a <a href="https://en.wikipedia.org/wiki/CRIME">CRIME attack</a> style vulnerability where a chosen-plaintext attack is combined with information leakage caused by how the compression algorithm handles different inputs. |
| The simplest way to avoid this problem is to never combine compression with encryption when encoding user-controlled input.</p> |
| </div> |
| </div> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="policy">Vulnerability handling policy</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>The Logging Services Security Team follows the <a href="https://www.apache.org/security/committers.html">ASF Project Security</a> guide for handling security vulnerabilities.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Reported security vulnerabilities are subject to voting (by means of <a href="https://logging.apache.org/guidelines.html"><em>lazy approval</em></a>, preferably) in the private <a href="mailto:security@logging.apache.org">security mailing list</a> before creating a CVE and populating its associated content. |
| This procedure involves only the creation of CVEs and blocks neither (vulnerability) fixes, nor releases.</p> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="vdr">Vulnerability Disclosure Report (VDR)</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>Many Logging Services projects distribute <a href="https://cyclonedx.org/capabilities/vdr">CycloneDX Software Bill of Materials (SBOM)</a> along with each deployed artifact. |
| This is streamlined by <a href="/logging-parent">Logging Parent</a> for Maven-based projects.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Produced SBOMs contain BOM-links referring to a <a href="https://cyclonedx.org/capabilities/vdr">CycloneDX Vulnerability Disclosure Report (VDR)</a> that Apache Logging Services uses for all projects it maintains. |
| This VDR is accessible through the following URL: <a href="https://logging.apache.org/cyclonedx/vdr.xml" class="bare">https://logging.apache.org/cyclonedx/vdr.xml</a></p> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="vulnerabilities">Known vulnerabilities</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>The Logging Services Security Team believes that accuracy, completeness and availability of security information is essential for our users. |
| We choose to pool all information on this one page, allowing easy searching for security vulnerabilities over a range of criteria.</p> |
| </div> |
| <div class="admonitionblock note"> |
| <table> |
| <tr> |
| <td class="icon"> |
| <div class="title">Note</div> |
| </td> |
| <td class="content"> |
| <div class="paragraph"> |
| <p>We adhere to <a href="https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html">the Maven version range syntax</a> while sharing versions of affected components. |
| We only extend this mathematical notation with set union operator (i.e., <code>∪</code>) to denote union of multiple ranges.</p> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| <div class="sect2"> |
| <h3 id="CVE-2021-44832"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832">CVE-2021-44832</a></h3> |
| <table class="tableblock frame-all grid-all stretch"> |
| <colgroup> |
| <col style="width: 16.6666%;"> |
| <col style="width: 83.3334%;"> |
| </colgroup> |
| <tbody> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">JDBC appender is vulnerable to remote code execution in certain configurations</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">6.6 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta7, 2.3.2) ∪ [2.4, 2.12.4) ∪ [2.13.0, 2.17.1)</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for Java 7), or <code>2.17.1</code> (for Java 8 and later)</p></td> |
| </tr> |
| </tbody> |
| </table> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44832-description">Description</h4> |
| <div class="paragraph"> |
| <p>An attacker with write access to the logging configuration can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. |
| This issue is fixed by limiting JNDI data source names to the <code>java</code> protocol.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44832-mitigation">Mitigation</h4> |
| <div class="paragraph"> |
| <p>Upgrade to <code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for Java 7), or <code>2.17.1</code> (for Java 8 and later).</p> |
| </div> |
| <div class="paragraph"> |
| <p>In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than <code>java</code>.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44832-references">References</h4> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832">CVE-2021-44832</a></p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="CVE-2021-45105"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105">CVE-2021-45105</a></h3> |
| <table class="tableblock frame-all grid-all stretch"> |
| <colgroup> |
| <col style="width: 16.6666%;"> |
| <col style="width: 83.3334%;"> |
| </colgroup> |
| <tbody> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">Infinite recursion in lookup evaluation</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">5.9 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-alpha1, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td> |
| </tr> |
| </tbody> |
| </table> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45105-description">Description</h4> |
| <div class="paragraph"> |
| <p>Log4j versions <code>2.0-alpha1</code> through <code>2.16.0</code> (excluding <code>2.3.1</code> and <code>2.12.3</code>), did not protect from uncontrolled recursion that can be implemented using self-referential lookups. |
| When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a <code>StackOverflowError</code> that will terminate the process. |
| This is also known as a <em>DoS (Denial-of-Service)</em> attack.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45105-mitigation">Mitigation</h4> |
| <div class="paragraph"> |
| <p>Upgrade to <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), or <code>2.17.0</code> (for Java 8 and later).</p> |
| </div> |
| <div class="paragraph"> |
| <p>Alternatively, this infinite recursion issue can be mitigated in configuration:</p> |
| </div> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p>In PatternLayout in the logging configuration, replace Context Lookups like <code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> with Thread Context Map patterns (<code>%X</code>, <code>%mdc</code>, or <code>%MDC</code>).</p> |
| </li> |
| <li> |
| <p>Otherwise, in the configuration, remove references to Context Lookups like <code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> where they originate |
| from sources external to the application such as HTTP headers or user input. |
| Note that this mitigation is insufficient in releases older than <code>2.12.2</code> (for Java 7), and <code>2.16.0</code> (for Java 8 and later) as the issues fixed in those releases will still be present.</p> |
| </li> |
| </ul> |
| </div> |
| <div class="paragraph"> |
| <p>Note that only the <code>log4j-core</code> JAR file is impacted by this vulnerability. |
| Applications using only the <code>log4j-api</code> JAR file without the <code>log4j-core</code> JAR file are not impacted by this vulnerability.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45105-credits">Credits</h4> |
| <div class="paragraph"> |
| <p>Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro’s Zero Day Initiative, and another anonymous vulnerability researcher.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45105-references">References</h4> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105">CVE-2021-45105</a></p> |
| </li> |
| <li> |
| <p><a href="https://issues.apache.org/jira/browse/LOG4J2-3230">LOG4J2-3230</a></p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="CVE-2021-45046"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046">CVE-2021-45046</a></h3> |
| <table class="tableblock frame-all grid-all stretch"> |
| <colgroup> |
| <col style="width: 16.6666%;"> |
| <col style="width: 83.3334%;"> |
| </colgroup> |
| <tbody> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">Thread Context Lookup is vulnerable to remote code execution in certain configurations</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">9.0 CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td> |
| </tr> |
| </tbody> |
| </table> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45046-description">Description</h4> |
| <div class="paragraph"> |
| <p>It was found that the fix to address <a href="#CVE-2021-44228">CVE-2021-44228</a> in Log4j <code>2.15.0</code> was incomplete in certain non-default configurations. |
| When the logging configuration uses a non-default Pattern Layout with a Thread Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with control over Thread Context Map (MDC) can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments. |
| Remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and Alpine Linux.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Note that this vulnerability is not limited to just the JNDI lookup. |
| Any other Lookup could also be included in a Thread Context Map variable and possibly have private details exposed to anyone with access to the logs.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Note that only the <code>log4j-core</code> JAR file is impacted by this vulnerability. |
| Applications using only the <code>log4j-api</code> JAR file without the <code>log4j-core</code> JAR file are not impacted by this vulnerability.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45046-mitigation">Mitigation</h4> |
| <div class="paragraph"> |
| <p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), or <code>2.17.0</code> (for Java 8 and later).</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45046-credits">Credits</h4> |
| <div class="paragraph"> |
| <p>This issue was discovered by Kai Mindermann of iC Consult and separately by 4ra1n.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Additional vulnerability details discovered independently by Ash Fox of Google, Alvaro Muñoz and Tony Torralba from GitHub, Anthony Weems of Praetorian, and RyotaK (@ryotkak).</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-45046-references">References</h4> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046">CVE-2021-45046</a></p> |
| </li> |
| <li> |
| <p><a href="https://issues.apache.org/jira/browse/LOG4J2-3221">LOG4J2-3221</a></p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="CVE-2021-44228"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228">CVE-2021-44228</a></h3> |
| <table class="tableblock frame-all grid-all stretch"> |
| <colgroup> |
| <col style="width: 16.6666%;"> |
| <col style="width: 83.3334%;"> |
| </colgroup> |
| <tbody> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">JNDI lookup can be exploited to execute arbitrary code loaded from an LDAP server</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td> |
| </tr> |
| </tbody> |
| </table> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44228-description">Description</h4> |
| <div class="paragraph"> |
| <p>In Log4j, the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. |
| An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Note that only the <code>log4j-core</code> JAR file is impacted by this vulnerability. |
| Applications using only the <code>log4j-api</code> JAR file without the <code>log4j-core</code> JAR file are not impacted by this vulnerability.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44228-mitigation">Mitigation</h4> |
| <div class="sect4"> |
| <h5 id="CVE-2021-44228-mitigation-log4j1">Log4j 1 mitigation</h5> |
| <div class="admonitionblock warning"> |
| <table> |
| <tr> |
| <td class="icon"> |
| <div class="title">Warning</div> |
| </td> |
| <td class="content"> |
| <div class="paragraph"> |
| <p><a href="/log4j/1.x">Log4j 1</a> has <a href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">reached End of Life</a> in 2015, and is no longer supported. |
| Vulnerabilities reported after August 2015 against Log4j 1 are not checked and will not be fixed. |
| Users should <a href="/log4j/2.x/manual/migration.html">upgrade to Log4j 2</a> to obtain security fixes.</p> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| <div class="paragraph"> |
| <p>Log4j 1 does not have Lookups, so the risk is lower. |
| Applications using Log4j 1 are only vulnerable to this attack when they use JNDI in their configuration. |
| A separate CVE (<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-4104">CVE-2021-4104</a>) has been filed for this vulnerability. |
| To mitigate, audit your logging configuration to ensure it has no <code>JMSAppender</code> configured. |
| Log4j 1 configurations without <code>JMSAppender</code> are not impacted by this vulnerability.</p> |
| </div> |
| </div> |
| <div class="sect4"> |
| <h5 id="CVE-2021-44228-mitigation-log4j2">Log4j 2 mitigation</h5> |
| <div class="paragraph"> |
| <p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), or <code>2.17.0</code> (for Java 8 and later).</p> |
| </div> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44228-credits">Credits</h4> |
| <div class="paragraph"> |
| <p>This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2021-44228-references">References</h4> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228">CVE-2021-44228</a></p> |
| </li> |
| <li> |
| <p><a href="https://issues.apache.org/jira/browse/LOG4J2-3198">LOG4J2-3198</a></p> |
| </li> |
| <li> |
| <p><a href="https://issues.apache.org/jira/browse/LOG4J2-3201">LOG4J2-3201</a></p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="CVE-2020-9488"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488">CVE-2020-9488</a></h3> |
| <table class="tableblock frame-all grid-all stretch"> |
| <colgroup> |
| <col style="width: 16.6666%;"> |
| <col style="width: 83.3334%;"> |
| </colgroup> |
| <tbody> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">Improper validation of certificate with host mismatch in SMTP appender</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">3.7 LOW (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta1, 2.12.3) ∪ [2.13.1, 2.13.2)</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.12.3</code> (Java 7) and <code>2.13.2</code> (Java 8 and later)</p></td> |
| </tr> |
| </tbody> |
| </table> |
| <div class="sect3"> |
| <h4 id="CVE-2020-9488-description">Description</h4> |
| <div class="paragraph"> |
| <p>Improper validation of certificate with host mismatch in SMTP appender. |
| This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log |
| messages sent through that appender.</p> |
| </div> |
| <div class="paragraph"> |
| <p>The reported issue was caused by an error in <code>SslConfiguration</code>. |
| Any element using <code>SslConfiguration</code> in the Log4j <code>Configuration</code> is also affected by this issue. |
| This includes <code>HttpAppender</code>, <code>SocketAppender</code>, and <code>SyslogAppender</code>. |
| Usages of <code>SslConfiguration</code> that are configured via system properties are not affected.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2020-9488-mitigation">Mitigation</h4> |
| <div class="paragraph"> |
| <p>Upgrade to <code>2.12.3</code> (Java 7) or <code>2.13.2</code> (Java 8 and later).</p> |
| </div> |
| <div class="paragraph"> |
| <p>Alternatively, users can set the <code>mail.smtp.ssl.checkserveridentity</code> system property to <code>true</code> to enable SMTPS hostname verification for all SMTPS mail sessions.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2020-9488-credits">Credits</h4> |
| <div class="paragraph"> |
| <p>This issue was discovered by Peter Stöckli.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2020-9488-references">References</h4> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488">CVE-2020-9488</a></p> |
| </li> |
| <li> |
| <p><a href="https://issues.apache.org/jira/browse/LOG4J2-2819">LOG4J2-2819</a></p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="CVE-2017-5645"><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645">CVE-2017-5645</a></h3> |
| <table class="tableblock frame-all grid-all stretch"> |
| <colgroup> |
| <col style="width: 16.6666%;"> |
| <col style="width: 83.3334%;"> |
| </colgroup> |
| <tbody> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">TCP/UDP socket servers can be exploited to execute arbitrary code</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 2.0 Score & Vector</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock">7.5 HIGH (AV:N/AC:L/Au:N/C:P/I:P/A:P)</p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-alpha1, 2.8.2)</code></p></td> |
| </tr> |
| <tr> |
| <th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> |
| <td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.8.2</code> (Java 7)</p></td> |
| </tr> |
| </tbody> |
| </table> |
| <div class="sect3"> |
| <h4 id="CVE-2017-5645-description">Description</h4> |
| <div class="paragraph"> |
| <p>When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2017-5645-mitigation">Mitigation</h4> |
| <div class="paragraph"> |
| <p>Java 7 and above users should migrate to version <code>2.8.2</code> or avoid using the socket server classes. |
| Java 6 users should avoid using the TCP or UDP socket server classes, or they can manually backport <a href="https://github.com/apache/logging-log4j2/commit/5dcc192">the security fix commit</a> from <code>2.8.2</code>.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2017-5645-credits">Credits</h4> |
| <div class="paragraph"> |
| <p>This issue was discovered by Marcio Almeida de Macedo of Red Team at Telstra.</p> |
| </div> |
| </div> |
| <div class="sect3"> |
| <h4 id="CVE-2017-5645-references">References</h4> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645">CVE-2017-5645</a></p> |
| </li> |
| <li> |
| <p><a href="https://issues.apache.org/jira/browse/LOG4J2-1863">LOG4J2-1863</a></p> |
| </li> |
| <li> |
| <p><a href="https://github.com/apache/logging-log4j2/commit/5dcc192">Security fix commit</a></p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| </div> |
| </div> |
| </div> |
| </div> |
| |
| |
| <div class="footer"> |
| <div class="container"> |
| <p> |
| Copyright © 2017-2024 <a href="https://www.apache.org" target="external">The Apache Software Foundation</a>. |
| Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0" |
| target="external">Apache Software License, Version 2.0</a> Please read our <a href="https://privacy.apache.org/policies/privacy-policy-public.html">privacy policy</a>. |
| </p><p> |
| Apache, Chainsaw, log4cxx, Log4j, Log4net, log4php and the Apache |
| feather logo are trademarks or registered trademarks of The Apache |
| Software Foundation. |
| Oracle and Java are registered trademarks |
| of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. |
| </p> |
| </div> |
| </div> |
| <!-- Matomo --> |
| <script> |
| var _paq = window._paq = window._paq || []; |
| _paq.push(["disableCookies"]); |
| _paq.push(['trackPageView']); |
| _paq.push(['enableLinkTracking']); |
| (function() { |
| var u="https://analytics.apache.org/"; |
| _paq.push(['setTrackerUrl', u+'matomo.php']); |
| _paq.push(['setSiteId', '42']); |
| var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; |
| g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); |
| })(); |
| </script> |
| <noscript><p><img src="https://analytics.apache.org/matomo.php?idsite=42&rec=1" style="border:0;" alt="" /></p></noscript> |
| <!-- End Matomo Code --> |
| </body> |
| </html> |