Initial security page refactoring (#1707)

src/site/asciidoc/_log4j1-eol.adoc

@@ -0,0 +1,23 @@
+////
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+         https://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+////
+
+[WARNING]
+====
+http://logging.apache.org/log4j/1.x[Log4j 1] has https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces[reached End of Life] in 2015, and is no longer supported.
+Vulnerabilities reported after August 2015 against Log4j 1 are not checked and will not be fixed.
+Users should xref:manual/migration.html[upgrade to Log4j 2] to obtain security fixes.
+====

src/site/asciidoc/security.adoc

@@ -0,0 +1,325 @@
+////
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+         https://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+////
+
+= Security
+
+The Apache Log4j Security Team takes security seriously.
+This allows our users to place their trust in Log4j for protecting their mission-critical data.
+In this page we will help you find guidance on security-related issues and access to known vulnerabilities.
+
+include::_log4j1-eol.adoc[]
+
+[#support]
+== Getting support
+
+If you need help on building or configuring Log4j or other help on following the instructions to mitigate the known vulnerabilities listed here, please use our xref:support.adoc#discussions[user support channels].
+
+[TIP]
+====
+If you need to apply a source code patch, use the building instructions for the Log4j version that you are using.
+These instructions can be found in `BUILDING.md` distributed with the sources.
+====
+
+[#reporting]
+== Reporting vulnerabilities
+
+If you have encountered an unlisted security vulnerability or other unexpected behaviour that has a security impact, or if the descriptions here are incomplete, please report them **privately** to mailto:security@logging.apache.org[the Log4j Security Team].
+
+[WARNING]
+====
+Reports assuming attacker's access to the Log4j configuration will not qualify as a vulnerability.
+====
+
+[#policy]
+== Vulnerability handling policy
+
+The Apache Log4j Security Team follows the https://www.apache.org/security/committers.html[ASF Project Security] guide for handling security vulnerabilities.
+
+Found security vulnerabilities are subject to voting (by means of https://logging.apache.org/guidelines.html[_lazy approval_], preferably) in the private mailto:security@logging.apache.org[security mailing list] before creating a CVE and populating its associated content.
+This procedure involves only the creation of CVEs and blocks neither (vulnerability) fixes, nor releases.
+
+[#Security_Impact_Levels]
+== Impact levels
+
+The Apache Log4j Security Team rates the impact of each security flaw that affects Log4j.
+We have chosen a rating scale quite similar to those used by other major vendors in order to be consistent.
+Basically the goal of the rating system is to answer the question of _"How worried should I be about this vulnerability?"_.
+
+Note that the rating may vary from platform to platform and the rating chosen for each flaw is the worst possible case across all architectures.
+To determine the exact impact of a particular vulnerability on your own systems you will still need to read the security advisories to find out more about the flaw.
+
+We use the following descriptions to decide on the impact rating to give each vulnerability:
+
+[cols="1,2",options="header"]
+|===
+|Severity|https://www.first.org/cvss/calculator/3.0[CVSS v3 Score Range]
+|Critical|9.0 - 10.0
+|High|7.0 - 8.9
+|Moderate|4.0 - 6.9
+|Low|0.1 - 3.9
+|===
+
+[#impact-level-critical]
+=== Critical
+
+A vulnerability rated with a _critical_ impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root).
+These are the sorts of vulnerabilities that could be exploited automatically by worms.
+
+[#impact-level-high]
+=== High
+
+A vulnerability rated as _high_ impact is one which could result in the compromise of data or availability of the server.
+For Log4j this includes issues that allow an easy remote denial-of-service (something that is out of proportion to the attack or with a lasting consequence), access to arbitrary files outside the context root, or access to files that should be otherwise prevented by limits or authentication.
+
+[#impact-level-moderate]
+=== Moderate
+
+A vulnerability is likely to be rated as _moderate_ if there is significant mitigation to make the issue less of an impact.
+This might be because the flaw does not affect likely configurations, or it is a configuration that isn't widely used.
+
+[#impact-level-low]
+=== Low
+
+All other security flaws are classed as a _low_ impact.
+This rating is used for issues that are believed to be extremely hard to exploit, or where an exploit gives minimal consequences.
+
+[#vulnerabilities]
+== Known vulnerabilities
+
+The Log4j Security Team believes that accuracy, completeness and availability of security information is essential for our users.
+We choose to pool all information on this one page, allowing easy searching for security vulnerabilities over a range of criteria.
+
+[#CVE-2021-44832]
+=== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832[CVE-2021-44832]
+
+[cols="1h,5"]
+|===
+|Summary |Infinite recursion in lookup evaluation
+|Type |Denial-of-Service
+|Severity |Moderate
+|Base CVSS score |6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
+|Versions affected |all versions from `2.0-alpha1` to `2.16.0` (excluding `2.3.1` and `2.12.3`)
+|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 and later)
+|===
+
+[#CVE-2021-44832-description]
+==== Description
+
+Log4j versions `2.0-alpha1` through `2.16.0` (excluding `2.3.1` and `2.12.3`), did not protect from uncontrolled recursion that can be implemented using self-referential lookups.
+When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.
+This is also known as a _DoS (Denial-of-Service)_ attack.
+
+[#CVE-2021-44832-mitigation]
+==== Mitigation
+
+Upgrade to `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 and later).
+
+Alternatively, this infinite recursion issue can be mitigated in configuration:
+
+* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (`%X`, `%mdc`, or `%MDC`).
+* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate
+from sources external to the application such as HTTP headers or user input.
+Note that this mitigation is insufficient in releases older than `2.12.2` (for Java 7), and `2.16.0` (for Java 8 and later) as the issues fixed in those releases will still be present.
+
+Note that only the `log4j-core` JAR file is impacted by this vulnerability.
+Applications using only the `log4j-api` JAR file without the `log4j-core` JAR file are not impacted by this vulnerability.
+
+[#CVE-2021-44832-credits]
+==== Credits
+
+Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro's Zero Day Initiative, and another anonymous vulnerability researcher.
+
+[#CVE-2021-44832-references]
+==== References
+
+- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105[CVE-2021-45105]
+- https://issues.apache.org/jira/browse/LOG4J2-3230[LOG4J2-3230]
+
+[#CVE-2021-45046]
+=== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046[CVE-2021-45046]
+
+[cols="1h,5"]
+|===
+|Summary |Thread Context Lookup is vulnerable to remote code execution in certain non-default configurations
+|Type |Remote Code Execution
+|Severity |Critical
+|Base CVSS score |9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
+|Versions affected |all versions from `2.0-beta9` to `2.15.0` (excluding `2.3.1` and `2.12.3`)
+|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 and later)
+|===
+
+[#CVE-2021-45046-description]
+==== Description
+
+It was found that the fix to address <<CVE-2021-44228>> in Log4j `2.15.0` was incomplete in certain non-default configurations.
+When the logging configuration uses a non-default Pattern Layout with a Thread Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments.
+Remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and Alpine Linux.
+
+Note that this vulnerability is not limited to just the JNDI lookup.
+Any other Lookup could also be included in a Thread Context Map variable and possibly have private details exposed to anyone with access to the logs.
+
+Note that only the `log4j-core` JAR file is impacted by this vulnerability.
+Applications using only the `log4j-api` JAR file without the `log4j-core` JAR file are not impacted by this vulnerability.
+
+[#CVE-2021-45046-mitigation]
+==== Mitigation
+
+Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 and later).
+
+[#CVE-2021-45046-credits]
+==== Credits
+
+This issue was discovered by Kai Mindermann of iC Consult and separately by 4ra1n.
+
+Additional vulnerability details discovered independently by Ash Fox of Google, Alvaro Muñoz and Tony Torralba from GitHub, Anthony Weems of Praetorian, and RyotaK (@ryotkak).
+
+[#CVE-2021-45046-references]
+==== References
+
+- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046[CVE-2021-45046]
+- https://issues.apache.org/jira/browse/LOG4J2-3221[LOG4J2-3221]
+
+[#CVE-2021-44228]
+=== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228[CVE-2021-44228]
+
+[cols="1h,5"]
+|===
+|Summary |JNDI lookup can be exploited to execute arbitrary code loaded from an LDAP server
+|Type |Remote Code Execution
+|Severity |Critical
+|Base CVSS score |10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+|Versions affected |all versions from `2.0-beta9` to `2.14.1` (excluding `2.3.1` and `2.12.3`)
+|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 and later)
+|===
+
+[#CVE-2021-44228-description]
+==== Description
+
+In Log4j, the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.
+An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers.
+
+Note that only the `log4j-core` JAR file is impacted by this vulnerability.
+Applications using only the `log4j-api` JAR file without the `log4j-core` JAR file are not impacted by this vulnerability.
+
+[#CVE-2021-44228-mitigation]
+==== Mitigation
+
+[#CVE-2021-44228-mitigation-log4j1]
+===== Log4j 1 mitigation
+
+include::_log4j1-eol.adoc[]
+
+Log4j 1 does not have Lookups, so the risk is lower.
+Applications using Log4j 1 are only vulnerable to this attack when they use JNDI in their configuration.
+A separate CVE (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104[CVE-2021-4104]) has been filed for this vulnerability.
+To mitigate, audit your logging configuration to ensure it has no `JMSAppender` configured.
+Log4j 1 configurations without `JMSAppender` are not impacted by this vulnerability.
+
+[#CVE-2021-44228-mitigation-log4j2]
+===== Log4j 2 mitigation
+
+Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java 8 and later).
+
+[#CVE-2021-44228-credits]
+==== Credits
+
+This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.
+
+[#CVE-2021-44228-references]
+==== References
+
+- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228[CVE-2021-44228]
+- https://issues.apache.org/jira/browse/LOG4J2-3198[LOG4J2-3198]
+- https://issues.apache.org/jira/browse/LOG4J2-3201[LOG4J2-3201]
+
+[#CVE-2020-9488]
+=== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488[CVE-2020-9488]
+
+[cols="1h,5"]
+|===
+|Summary |Improper validation of certificate with host mismatch in SMTP appender
+|Severity |Low
+|Base CVSS score |3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
+|Versions affected |all versions from `2.0-beta1` to `2.13.1` (excluding `2.3.1` and `2.12.3`)
+|Versions fixed |`2.12.3` (Java 7) and `2.13.2` (Java 8)
+|===
+
+[#CVE-2020-9488-description]
+==== Description
+
+Improper validation of certificate with host mismatch in SMTP appender.
+This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log
+messages sent through that appender.
+
+The reported issue was caused by an error in `SslConfiguration`.
+Any element using `SslConfiguration` in the Log4j `Configuration` is also affected by this issue.
+This includes `HttpAppender`, `SocketAppender`, and `SyslogAppender`.
+Usages of `SslConfiguration` that are configured via system properties are not affected.
+
+[#CVE-2020-9488-mitigation]
+==== Mitigation
+
+Upgrade to `2.12.3` (Java 7) or `2.13.2` (Java 8).
+
+Alternatively, users can set the `mail.smtp.ssl.checkserveridentity` system property to `true` to enable SMTPS hostname verification for all SMTPS mail sessions.
+
+[#CVE-2020-9488-credits]
+==== Credits
+
+This issue was discovered by Peter Stöckli.
+
+[#CVE-2020-9488-references]
+==== References
+
+- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488[CVE-2020-9488]
+- https://issues.apache.org/jira/browse/LOG4J2-2819[LOG4J2-2819]
+
+[#CVE-2017-5645]
+=== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645[CVE-2017-5645]
+
+[cols="1h,5"]
+|===
+|Summary |TCP/UDP socket servers can be exploited to execute arbitrary code
+|Type |Remote Code Execution
+|Severity |Moderate
+|Base CVSS score |7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
+|Versions affected |all versions from `2.0-alpha1` to `2.8.1`
+|Versions fixed |`2.8.2` (Java 7)
+|===
+
+[#CVE-2017-5645-description]
+==== Description
+
+When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
+
+[#CVE-2017-5645-mitigation]
+==== Mitigation
+
+Java 7 and above users should migrate to version 2.8.2 or avoid using the socket server classes.
+Java 6 users should avoid using the TCP or UDP socket server classes, or they can manually backport https://github.com/apache/logging-log4j2/commit/5dcc192[the security fix commit] from `2.8.2`.
+
+[#CVE-2017-5645-credits]
+==== Credits
+
+This issue was discovered by Marcio Almeida de Macedo of Red Team at Telstra.
+
+[#CVE-2017-5645-references]
+==== References
+
+- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645[CVE-2017-5645]
+- https://issues.apache.org/jira/browse/LOG4J2-1863[LOG4J2-1863]
+- https://github.com/apache/logging-log4j2/commit/5dcc192[Security fix commit]