Google Git
Sign in
apache / sling-site / refs/heads/asf-site / . / security / log4shell.html
blob: 1e5ce4c8d8b1d1f4d8973025102955d1d4146a87 [file] [log] [blame]
<!DOCTYPE html><html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/>
<title>Apache Sling :: Apache Sling advisory regarding CVE-2021-44228 and LOGBACK-1591</title>
<link rel="icon" href="/favicon.ico"/>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.5/css/bulma.min.css"/>
<link rel="stylesheet" href="/res/css/site.css"/>
<script src='https://www.apachecon.com/event-images/snippet.js'></script><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css"/>
<script src='https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js'></script><script>
hljs.initHighlightingOnLoad();
</script>
<!-- Matomo Web Analytics -->
<script>
var _paq = window._paq = window._paq || [];
/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
/* We explicitly disable cookie tracking to avoid privacy issues */
_paq.push(['disableCookies']);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="https://matomo.privacy.apache.org/";
_paq.push(['setTrackerUrl', u+'matomo.php']);
_paq.push(['setSiteId', '6']);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();
</script>
<!-- End Matomo Code -->
<link href='/pagefind/pagefind-ui.css' rel='stylesheet'><script src='/pagefind/pagefind-ui.js' type='text/javascript'></script>
<script>
window.addEventListener('DOMContentLoaded', (event) => {
new PagefindUI({ element: "#searchbox" });
});
</script>
</head> <body>
<div class="section">
<div class="level is-marginless">
<div class="logo">
<a href="https://sling.apache.org">
<img border="0" alt="Apache Sling" src="/res/logos/sling.svg"/>
</a>
</div><div class="header">
<a href="https://www.apache.org">
<img border="0" alt="Apache" src="/res/logos/apache.png"/>
</a>
</div>
</div><section class="searchbox level is-marginless">
<div id="searchbox"></div>
</section><div class="columns is-gapless">
<div class="column is-narrow sidemenu">
<div class="container">
<nav class="menu">
<ul class="menu-list box is-shadowless is-marginless">
<li>
<p class="menu-label">
<strong>Documentation</strong>
</p><ul>
<li><a href="/documentation.html">Overview</a></li><li><a href="/documentation/getting-started.html">Getting Started</a></li><li><a href="/documentation/the-sling-engine.html">The Sling Engine</a></li><li><a href="/documentation/development.html">Development</a></li><li><a href="/documentation/bundles.html">Bundles</a></li><li><a href="/documentation/tutorials-how-tos.html">Tutorials &amp; How-Tos</a></li><li><a href="/components/">Maven Plugins</a></li><li><a href="/documentation/configuration.html">Configuration</a></li>
</ul>
</li><li>
<p class="menu-label">
<strong>API Docs</strong>
</p><ul>
<li><a href="/apidocs/sling12/index.html">Sling 12</a></li><li><a href="/apidocs/sling11/index.html">Sling 11</a></li><li><a href="/apidocs/sling10/index.html">Sling 10</a></li><li><a href="/apidocs/sling9/index.html">Sling 9</a></li><li><a href="/documentation/apidocs.html">All versions</a></li>
</ul>
</li><li>
<p class="menu-label">
<strong>Support</strong>
</p><ul>
<li><a href="https://s.apache.org/sling.wiki">Wiki</a></li><li><a href="https://s.apache.org/sling.faq">FAQ</a></li><li><a href="/sitemap.html">Sitemap</a></li>
</ul>
</li><li>
<p class="menu-label">
<strong>Project Info</strong>
</p><ul>
<li><a href="/downloads.cgi">Downloads</a></li><li><a href="https://www.apache.org/licenses/">License</a></li><li><a href="/news.html">News</a></li><li><a href="/releases.html">Releases</a></li><li><a href="https://issues.apache.org/jira/browse/SLING">Issue Tracker</a></li><li><a href="/links.html">Links</a></li><li><a href="/contributing.html">Contributing</a></li><li><a href="/project-information.html">Project Information</a></li><li><a href="/project-information/security.html">Security</a></li>
</ul>
</li><li>
<p class="menu-label">
<strong>Source</strong>
</p><ul>
<li><a href="/repolist.html">Repositories</a></li><li><a href="https://gitbox.apache.org/repos/asf?s=sling">Git at Apache</a></li>
</ul>
</li><li>
<p class="menu-label">
<strong>Apache Software<br>Foundation</strong>
</p><ul>
<li><a href="https://www.apache.org/foundation/thanks.html">Thanks!</a></li><li><a href="https://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li><li><a href="https://www.apache.org/foundation/buy_stuff.html">Buy Stuff</a></li>
</ul>
</li><li>
<a class="acevent" data-format="square" data-event="random"></a>
</li><li>
<a href="https://apache.org/foundation/contributing.html" class="column">
<img border="0" alt="Support the Apache Software Foundation!" src="/res/images/SupportApache-small.png" width="125"/>
</a>
</li>
</ul>
</nav>
</div>
</div><div class="column main">
<div class="box is-shadowless is-marginless">
<div class="level">
<div class="pagenav">
<div class="breadcrumb">
<ul>
<li>
<a href="/">
Home
</a>
</li>
</ul>
</div>
</div><div class="tags">
<span class="tag">
<a href="/tags/security.html">
security
</a>
</span>
</div>
</div><h1 class="title">
Apache Sling advisory regarding CVE-2021-44228 and LOGBACK-1591
</h1><div class="content is-marginless">
<div class="row" data-pagefind-body="true"><div><section><p>On 9th December 2021, a new zero-day vulnerability for <a href="https://logging.apache.org/log4j/2.x/index.html">Apache Log4j 2</a> was reported. It is tracked under <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a> and affects Log4j versions from 2.0-beta9 (inclusive) to 2.15.0 (exclusive). It is also known under the <em>Log4Shell</em> name.</p>
<p>Apache Sling modules use the <a href="http://www.slf4j.org">Simple Logging Facade for Java</a> (slf4j) for logging, backed by the <a href="https://github.com/apache/sling-org-apache-sling-commons-log/">Sling Commons Log bundle</a>. There are no Sling modules using versions of Log4j affected by <em>Log4Shell</em>. The Sling Starter and Sling CMS applications do not include any vulnerable version of the Log4j library.</p>
<p>Applications built on top of Apache Sling are not impacted by CVE-2021-44228, provided they do not deploy a vulnerable version of Log4j themselves.</p>
<p>The Sling Commons Log bundle wraps <code>logback-core</code> and <code>logback-classic</code>, but does not allow arbitrary modifications to the <code>logback.xml</code> file and is therefore not vulnerable to the attack described in <a href="https://jira.qos.ch/browse/LOGBACK-1591">LOGBACK-1591</a>.</p>
<p>The Apache Sling PMC recommends that developers and operators of applications built on top of Apache Sling review the libraries they deploy to ensure that they do not include vulnerable versions of Log4j.</p>
</section></div></div><div data-pagefind-body="true" data-pagefind-weight="7.0" style="display:none;"> - ( Apache Sling advisory regarding CVE-2021-44228 and LOGBACK-1591 )</div>
</div>
</div>
</div>
</div><footer class="footer">
<div class="content has-text-centered is-small">
<div class="editpagelink">
This page can be edited on GitHub at <a href="https://github.com/apache/sling-site/edit/master/src/main/jbake/content/security/log4shell.md">
content/security/log4shell.md
</a>
</div> <div class="revisionInfo">
Last modified by <span class="author">Robert Munteanu</span> on <span class="comment">2021-12-17</span>
</div><p>
Apache Sling, Sling, Apache, the Apache feather logo, and the Apache Sling project
logo are trademarks of The Apache Software Foundation. All other marks mentioned
may be trademarks or registered trademarks of their respective owners.
</p><p>
Copyright © 2007-2024<a href="https://www.apache.org/">
The Apache Software Foundation
</a>|<a href="https://privacy.apache.org/policies/privacy-policy-public.html">
Privacy Policy
</a>
</p>
</div>
</footer>
</div>
</body>
</html>