[struts-site] branch master updated: Adds Log4j vulnerability announcement

[lukaszlenart]

This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/master by this push:
     new 654b194  Adds Log4j vulnerability announcement
654b194 is described below

commit 654b1944a68a9f94d1cc66b707972291615c4fc0
Author: Lukasz Lenart <lukaszlen...@apache.org>
AuthorDate: Sun Dec 12 17:02:19 2021 +0100

    Adds Log4j vulnerability announcement
---
 source/announce-2021.md | 13 +++++++++++++
 source/index.html       | 10 ++++++----
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/source/announce-2021.md b/source/announce-2021.md
index 16c5794..2149821 100644
--- a/source/announce-2021.md
+++ b/source/announce-2021.md
@@ -13,6 +13,19 @@ title: Announcements 2021
   Skip to: <a href="announce-2020">Announcements - 2020</a>
 </p>
 
+#### 12 December 2021 - Security Advice on Log4j 2.15.0 {#a20211212-1}
+
+The Apache Struts team would like to announce that all the users using the 
latest Struts 2.5.x series should upgrade 
+[Log4j](https://logging.apache.org/log4j/2.x/) library to the  latest 
**2.15.0** version which addresses 
+the Remote-Code-Execution vulnerability **CVE-2021-44228**. 
+
+This version of Log4j requires Java 8, while Apache Struts 2.5.x series is 
still using Java 1.7 and because
+of that we cannot prepare a new patched 2.5.x version. Yet, in most cases this 
is a drop-in upgrade as Log4j 2.15.0 
+maintains binary compatibility with previous releases - once you are running 
on Java 8. In case you are not able 
+to upgrade Log4j, please use one of  the described mitigations.
+
+More information can be found 
[here](https://logging.apache.org/log4j/2.x/#News).
+
 #### 12 December 2021 - Struts 2.5.28 General Availability {#a20211212}
 
 The Apache Struts group is pleased to announce that Struts 2.5.28 is available 
as a "General Availability"
diff --git a/source/index.html b/source/index.html
index c57d515..643d20d 100644
--- a/source/index.html
+++ b/source/index.html
@@ -31,11 +31,13 @@ title: Welcome to the Apache Struts project
         <a href="{{ site.wiki_url }}/Version+Notes+{{ site.current_version 
}}">Version notes</a>
       </div>
       <div class="column col-md-4">
-        <h2>Security Advice S2-061 released</h2>
+        <h2>Security Advice on Log4j 2.15.0</h2>
         <p>
-          Forced OGNL evaluation, when evaluated on raw user input in tag 
attributes, may lead to remote code execution.
-          Read more in
-          <a href="announce-2020#a20201208">Announcement</a>
+          The Apache Struts team would like to announce that all the users 
using
+          the latest Struts 2.5.x series should upgrade Log4j library to the
+          latest 2.15.0 version which addresses the Remote-Code-Execution
+          vulnerability - CVE-2021-44228. .
+          Read more in <a href="announce-2021#a20211212-2">Announcement</a>
         </p>
       </div>
       <div class="column col-md-4">