jvz commented on code in PR #6: URL: https://github.com/apache/logging-site/pull/6#discussion_r1996228917
########## _vulnerabilities.adoc: ########## @@ -106,8 +107,8 @@ Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein |Summary |Thread Context Lookup is vulnerable to remote code execution in certain configurations |CVSS 3.x Score & Vector |9.0 CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) |Components affected |`log4j-core` -|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)` -|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0` (for Java 8 and later) +|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.16.0)` Review Comment: The JNDI lookup issues were all fixed in 2.16.0. The JNDI-related bugs fixed in 2.17+ were only relevant in a scenario where either the adversary has control over the logging configuration (which is outside the threat model we published later on for clarification) or in a scenario where a JNDI URL is used to configure a plugin that uses JNDI for something (such as the JDBC and JMS appenders) and the JNDI URL either points to a compromised LDAP server or the URL is somehow user-configurable (the latter also being outside the scope of our threat model). While 2.16.0 fixes the JNDI-related issues from log4shell, it didn't fix all _possible_ JNDI-related issues. It was in 2.17.0 where we introduced a feature flag to enable JNDI at all to avoid potential use of these JNDI-linked classes in some sort of gadget chain. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
