Details
-
Documentation
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.15.0
-
None
-
None
Description
I propose to update the text for the mitigation section of CVE-2021-44228 on https://logging.apache.org/log4j/2.x/security.html
Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet point list for improved readability.
Log4j 1.x mitigation: Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability. (Note that there is a separate CVE (CVE-2021-4104) for this vulnerability now.)
Log4j 2.x mitigation: Implement one of the mitigation techniques below.
- Upgrade to release 2.15.0 or later
- For releases >= 2.10,
- set system property log4j2.formatMsgNoLookups to true (see https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties)
- or set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true (see https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties).
- For releases >= 2.7 and <= 2.14.1, modify your logging configuration to disable message lookups:
- use %m{nolookups} instead of just %m
- use %msg{nolookups} instead of just %msg
- use %message{nolookups} instead of just %message
- For releases >= 2.0-beta9 and < 2.7, the only mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
The log4j-api JAR file in Log4j2 is not impacted by this vulnerability.