Log4j 2
  1. Log4j 2
  2. LOG4J2-289

Change Javadoc generation per CVE-2013-1571, VU#225657

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0-beta7
    • Fix Version/s: 2.0-beta8
    • Component/s: Documentation
    • Labels:
      None

      Description

      Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java 7 < 7u25 is vulnerable to a frame injection attack. Oracle has provided a repair-in-place tool for Javadoc that cannot be easily regenerated, but is urging developers to regenerate whatever Javadoc they can using Java 7u25. For all practical purses, the vulnerability really only applies to publicly-hosted Javadoc, so the Javadoc in our existing Maven artifacts really doesn't have to be worried about (not that we could do anything about it). My thoughts on this:

      1) We should apply the repair-in-place tool ASAP to the Javadoc on the website for Log4j 1 and Log4j 2.

      2) Future Log4j 1 and 2 Javadoc should be generated with 7u25 or better. There will be no fix for Java 5 or 6. Thankfully, generating Javadoc using a different JDK than you used to compile is quite easy in both Maven and Ant. In fact, I prefer it that way, because the Javadoc is much more visually attractive in Java 7.

      [1] http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
      [2] http://www.kb.cert.org/vuls/id/225657

        Activity

        Hide
        Ralph Goers added a comment -

        Updated javadoc plugin version to 2.9.1 which contains the fix for this issue.

        Show
        Ralph Goers added a comment - Updated javadoc plugin version to 2.9.1 which contains the fix for this issue.
        Hide
        Ralph Goers added a comment -

        The javadoc for Log4j 2 on the public web site has been patched.

        Show
        Ralph Goers added a comment - The javadoc for Log4j 2 on the public web site has been patched.
        Hide
        Ralph Goers added a comment -

        Site generation with Maven was fixed in revision 1495798. The live site still needs to be fixed.

        Show
        Ralph Goers added a comment - Site generation with Maven was fixed in revision 1495798. The live site still needs to be fixed.

          People

          • Assignee:
            Unassigned
            Reporter:
            Nick Williams
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 1h
              1h
              Remaining:
              Remaining Estimate - 1h
              1h
              Logged:
              Time Spent - Not Specified
              Not Specified

                Development