Is it a security vulnerability?

Is it a security vulnerability?

I think it is.

It is very surprising that this critical security issue does not seem to have received due attention. It was reported to Apache half a month ago, but it was not fixed until five days ago. Even today, it has not released a new stable version to solve it.

Is it a security vulnerability?

I think it is.

It is very surprising that this critical security issue does not seem to have received due attention. It was reported to Apache half a month ago, but it was not fixed until five days ago. Even today, it has not released a new stable version to solve it.

Oh so glad you show such appreciation for the work of volunteers...

Is it a security vulnerability?

I think it is.
It is very surprising that this critical security issue does not seem to have received due attention. It was reported to Apache half a month ago, but it was not fixed until five days ago. Even today, it has not released a new stable version to solve it.

Oh so glad you show such appreciation for the work of volunteers...

@garydgregory

I wonder when log4j 2.15 will be officially released? It's hard to imagine that the craziest vulnerability this year has not been solved in the release half a month after it was reported.

Its impact is unimaginable. Countless services using log4j2 are exposed to the risk of being attacked, and the way to attack them is surprisingly simple. Even now I dare not open my minecraft server, because any member can attack it if they want - he/she can easily control my server by sending a text through the chat bar.

Is there anyone dealing with this matter urgently? It's really incomprehensible that I didn't see Apache give any emergency warning under such a serious problem.

Is it a security vulnerability?

I think it is.
It is very surprising that this critical security issue does not seem to have received due attention. It was reported to Apache half a month ago, but it was not fixed until five days ago. Even today, it has not released a new stable version to solve it.

Oh so glad you show such appreciation for the work of volunteers...

@garydgregory

I wonder when log4j 2.15 will be officially released? It's hard to imagine that the craziest vulnerability this year has not been solved in the release half a month after it was reported.

Its impact is unimaginable. Countless services using log4j2 are exposed to the risk of being attacked, and the way to attack them is surprisingly simple. Even now I dare not open my minecraft server, because any member can attack it if they want - he/she can easily control my server by sending a text through the chat bar.

Is there anyone dealing with this matter urgently? It's really incomprehensible that I didn't see Apache give any emergency warning under such a serious problem.

+1, and we are in desperate need of a CVE and security advisory to be announced asap. This could affect hundreds of thousands, if not millions, of services actively running on the internet.

We of course appreciate the efforts from contributors, but overall this is a major security issue that needs a new version release and a security advisory.

Your patience will soon be rewarded...

Also, if this matters to you so much, why not show it with a donation to the Apache Software Foundationhttps://www.apache.org/foundation/contributing.html or this project's main contributorhttps://github.com/sponsors/rgoers ?

Is it a security vulnerability?

I think it is.
It is very surprising that this critical security issue does not seem to have received due attention. It was reported to Apache half a month ago, but it was not fixed until five days ago. Even today, it has not released a new stable version to solve it.

Oh so glad you show such appreciation for the work of volunteers...

@garydgregory
I wonder when log4j 2.15 will be officially released? It's hard to imagine that the craziest vulnerability this year has not been solved in the release half a month after it was reported.
Its impact is unimaginable. Countless services using log4j2 are exposed to the risk of being attacked, and the way to attack them is surprisingly simple. Even now I dare not open my minecraft server, because any member can attack it if they want - he/she can easily control my server by sending a text through the chat bar.
Is there anyone dealing with this matter urgently? It's really incomprehensible that I didn't see Apache give any emergency warning under such a serious problem.

+1, and we are in desperate need of a CVE and security advisory to be announced asap. This could affect hundreds of thousands, if not millions, of services actively running on the internet.

We of course appreciate the efforts from contributors, but overall this is a major security issue that needs a new version release and a security advisory.

My understanding is that the procedure is to hold off on announcing the vulnerability until a patch is available. (Seehttps://www.apache.org/security/).

For background:

The team is taking it seriously. As Gary said, we are all volunteers working on this in our spare time. We are also in different time zones so communication is not instantaneous. If you think things can be improved, that's great! We need more people like you and I would encourage you toget involved!

We are in the process of getting a release out with the fix. During review, some security experts found a new vulnerability in our fix (a way to bypass the fix). This has been addressed and we are now in the process of reviewing the updated 2nd release candidate.

Usually (as per ASF rules) the teamshould wait 72 hours after creating a release candidate before publishing the release to give the community enough time to review and cast their votes. We are building consensus to shorten that window for this particular release, given its urgency.

You can't ask everybody to upgrade to 2.15 at once. And theformatMsgNoLookups option is available to log4j ≥ 2.10 only.

Thanks toLOG4J2-703, I think it's quite safe to removeorg/apache/logging/log4j/core/lookup/JndiLookup.class fromlog4j-core-*.jar as a workaround. Justzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class to disable${jndi:...} functionality completely.

I posted all log4j-core jar withJndiLookup.class removed athttps://github.com/zhangyoufu/log4j2-without-jndi for reference. Simple local test looks promising.

Update: the vote for log4j-2.15.0 passed and the release is in progress.

I can see the log4j web site reflecting thelog4j 2.15.0 release, but I cannot see the 2.15.0artifacts on Maven Central yet at this moment. It may take a few hours before mirror servers are synchronized and the artifacts become available for you.

An announcement email for the release will be sent out soon (within 24 hours - we usually wait some time for the mirror servers to catch up).

Thank you@zhangyoufu for the suggested workaround for older versions of log4j to remove theJndiLookup.class class! The team likes your idea and we will include the workaround you suggested in the release notes and announcement email. Many thanks!

@remkop thanks for your great work 👍
I come from theApache APISIX community, and we can intercept this security vulnerability at the API gateway level to provide some help. I wonder if there are such regular expression rules? thanks

Hi@rgoers, is log4j 1.x vulnerable?

Hi@rgoers, is log4j 1.x vulnerable?

Hi@yuezk, as far as I can tell, log4j 1.x does not support lookups.I also could not find any other reference to JNDI in thelog4j 1.x source code. So, no guarantees but it looks like 1.x is not impacted by this vulnerability.CORRECTION:log4j 1.x contains a JMS Appender which can use JNDI. So I would say that, yes, log4j 1.x is also impacted by this vulnerability (Thank you@garydgregory for pointing this out).

Update (2021-12-11 09:09 JST): according tothis analysis by@ceki (the author of log4j 1.x), Log4j 1.x is not impacted, since it does not have lookups, and the JMS Appender only loads Strings from the remote server, not serialized objects.

Update (2021-12-12 10:09 JST): according tothis analysis by@TopStreamsNet, strictly speaking, applications using Log4j 1.x may be impacted if their configuration uses JNDI. However, the risk is much lower.

Note that log4j 1.x isEnd of Life and hasother security vulnerabilities that will not be fixed.So we do not recommend using log4j 1.x as a way to avoid this security vulnerability. The recommendation is to upgrade to 2.15.0.