packages/log4j
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!24 [sync] PR-22: Upgrade to 2.17.0 for fix CVE-2021-45105

Browse Source 
Merge pull request !24 from openeuler-sync-bot/sync-pr22-openEuler-20.03-LTS-SP3-to-openEuler-22.03-LTS-Next
This commit is contained in:
openeuler-ci-bot 2021-12-27 02:00:54 +00:00 committed by Gitee
commit f427283268
7 changed files with 30 additions and 1609 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

551
CVE-2021-44228-1.patch
View File

@ -1,551 +0,0 @@
From 755e2c9d57f0517a73d16bfcaed93cc91969bdee Mon Sep 17 00:00:00 2001
From: Ralph Goers <rgoers@apache.org>
Date: Mon, 29 Nov 2021 22:28:07 -0700
Subject: [PATCH] Restrict LDAP access via JNDI
---
log4j-core/pom.xml | 5 +
.../log4j/core/appender/mom/JmsAppender.java | 31 ++++-
.../logging/log4j/core/lookup/JndiLookup.java | 5 +
.../logging/log4j/core/net/JndiManager.java | 106 ++++++++++++++-
.../logging/log4j/core/util/NetUtils.java | 44 +++++++
.../log4j/core/lookup/JndiExploit.java | 36 +++++
.../log4j/core/lookup/JndiLdapLookupTest.java | 124 ++++++++++++++++++
.../src/test/resources/java-import.ldif | 4 +
pom.xml | 6 +
9 files changed, 353 insertions(+), 8 deletions(-)
create mode 100644 log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiExploit.java
create mode 100644 log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java
create mode 100644 log4j-core/src/test/resources/java-import.ldif
diff --git a/log4j-core/pom.xml b/log4j-core/pom.xml
index 5d24d6f..3afa014 100644
--- a/log4j-core/pom.xml
+++ b/log4j-core/pom.xml
@@ -332,6 +332,11 @@
<artifactId>HdrHistogram</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.zapodot</groupId>
+ <artifactId>embedded-ldap-junit</artifactId>
+ <scope>test</scope>
+ </dependency>
</dependencies>
<build>
<plugins>
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java
index ddac666..f2190ca 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java
@@ -88,6 +88,12 @@ public class JmsAppender extends AbstractAppender {
@PluginBuilderAttribute
private boolean immediateFail;
+ @PluginBuilderAttribute
+ private String allowedLdapClasses;
+
+ @PluginBuilderAttribute
+ private String allowedLdapHosts;
+
// Programmatic access only for now.
private JmsManager jmsManager;
@@ -100,8 +106,18 @@ public class JmsAppender extends AbstractAppender {
JmsManager actualJmsManager = jmsManager;
JmsManagerConfiguration configuration = null;
if (actualJmsManager == null) {
+ Properties additionalProperties = null;
+ if (allowedLdapClasses != null || allowedLdapHosts != null) {
+ additionalProperties = new Properties();
+ if (allowedLdapHosts != null) {
+ additionalProperties.put(JndiManager.ALLOWED_HOSTS, allowedLdapHosts);
+ }
+ if (allowedLdapClasses != null) {
+ additionalProperties.put(JndiManager.ALLOWED_CLASSES, allowedLdapClasses);
+ }
+ }
final Properties jndiProperties = JndiManager.createProperties(factoryName, providerUrl, urlPkgPrefixes,
- securityPrincipalName, securityCredentials, null);
+ securityPrincipalName, securityCredentials, additionalProperties);
configuration = new JmsManagerConfiguration(jndiProperties, factoryBindingName, destinationBindingName,
userName, password, false, reconnectIntervalMillis);
actualJmsManager = AbstractManager.getManager(getName(), JmsManager.FACTORY, configuration);
@@ -202,6 +218,16 @@ public class JmsAppender extends AbstractAppender {
return this;
}
+ public Builder setAllowedLdapClasses(final String allowedLdapClasses) {
+ this.allowedLdapClasses = allowedLdapClasses;
+ return this;
+ }
+
+ public Builder setAllowedLdapHosts(final String allowedLdapHosts) {
+ this.allowedLdapHosts = allowedLdapHosts;
+ return this;
+ }
+
/**
* Does not include the password.
*/
@@ -212,7 +238,8 @@ public class JmsAppender extends AbstractAppender {
+ ", securityCredentials=" + securityCredentials + ", factoryBindingName=" + factoryBindingName
+ ", destinationBindingName=" + destinationBindingName + ", username=" + userName + ", layout="
+ getLayout() + ", filter=" + getFilter() + ", ignoreExceptions=" + isIgnoreExceptions()
- + ", jmsManager=" + jmsManager + "]";
+ + ", jmsManager=" + jmsManager + ", allowedLdapClasses=" + allowedLdapClasses
+ + ", allowedLdapHosts=" + allowedLdapHosts + "]";
}
}
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/JndiLookup.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/JndiLookup.java
index 30e65ad..e57d0be 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/JndiLookup.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/JndiLookup.java
@@ -16,6 +16,11 @@
*/
package org.apache.logging.log4j.core.lookup;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.ArrayList;
+import java.util.List;
import java.util.Objects;
import javax.naming.NamingException;
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
index 2670857..8a0e68d 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
@@ -17,31 +17,76 @@
package org.apache.logging.log4j.core.net;
+import java.io.Serializable;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import javax.naming.Context;
-import javax.naming.InitialContext;
+import javax.naming.NameClassPair;
+import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
+import javax.naming.Referenceable;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
import org.apache.logging.log4j.core.appender.AbstractManager;
import org.apache.logging.log4j.core.appender.ManagerFactory;
import org.apache.logging.log4j.core.util.JndiCloser;
+import org.apache.logging.log4j.core.util.NetUtils;
+import org.apache.logging.log4j.util.PropertiesUtil;
/**
- * Manages a JNDI {@link javax.naming.Context}.
+ * Manages a JNDI {@link javax.naming.directory.DirContext}.
*
* @since 2.1
*/
public class JndiManager extends AbstractManager {
+ public static final String ALLOWED_HOSTS = "allowedLdapHosts";
+ public static final String ALLOWED_CLASSES = "allowedLdapClasses";
+
private static final JndiManagerFactory FACTORY = new JndiManagerFactory();
+ private static final String PREFIX = "log4j2.";
+ private static final List<String> permanentAllowedHosts = new ArrayList<>();
+ private static final List<String> permanentAllowedClasses = new ArrayList<>();
+ private static final String LDAP = "ldap";
+ private static final String SERIALIZED_DATA = "javaserializeddata";
+ private static final String CLASS_NAME = "javaclassname";
+ private static final String REFERENCE_ADDRESS = "javareferenceaddress";
+ private static final String OBJECT_FACTORY = "javafactory";
+ private final List<String> allowedHosts;
+ private final List<String> allowedClasses;
+
+ static {
+ permanentAllowedHosts.addAll(NetUtils.getLocalIps());
+ permanentAllowedClasses.add(Boolean.class.getName());
+ permanentAllowedClasses.add(Byte.class.getName());
+ permanentAllowedClasses.add(Character.class.getName());
+ permanentAllowedClasses.add(Double.class.getName());
+ permanentAllowedClasses.add(Float.class.getName());
+ permanentAllowedClasses.add(Integer.class.getName());
+ permanentAllowedClasses.add(Long.class.getName());
+ permanentAllowedClasses.add(Number.class.getName());
+ permanentAllowedClasses.add(Short.class.getName());
+ permanentAllowedClasses.add(String.class.getName());
+ }
- private final Context context;
- private JndiManager(final String name, final Context context) {
+ private final DirContext context;
+
+ private JndiManager(final String name, final DirContext context, final List<String> allowedHosts,
+ final List<String> allowedClasses) {
super(null, name);
this.context = context;
+ this.allowedHosts = allowedHosts;
+ this.allowedClasses = allowedClasses;
}
/**
@@ -168,7 +213,37 @@ public class JndiManager extends AbstractManager {
* @throws NamingException if a naming exception is encountered
*/
@SuppressWarnings("unchecked")
- public <T> T lookup(final String name) throws NamingException {
+ public synchronized <T> T lookup(final String name) throws NamingException {
+ try {
+ URI uri = new URI(name);
+ if (LDAP.equalsIgnoreCase(uri.getScheme())) {
+ if (!allowedHosts.contains(uri.getHost())) {
+ LOGGER.warn("Attempt to access ldap server not in allowed list");
+ return null;
+ }
+ Attributes attributes = this.context.getAttributes(name);
+ if (attributes != null) {
+ Attribute classNameAttr = attributes.get(CLASS_NAME);
+ if (attributes.get(SERIALIZED_DATA) != null) {
+ if (classNameAttr != null) {
+ String className = classNameAttr.get().toString();
+ if (!allowedClasses.contains(className)) {
+ LOGGER.warn("Deserialization of {} is not allowed", className);
+ return null;
+ }
+ } else {
+ LOGGER.warn("No class name provided for {}", name);
+ return null;
+ }
+ } else if (attributes.get(REFERENCE_ADDRESS) != null || attributes.get(OBJECT_FACTORY) != null){
+ LOGGER.warn("Referenceable class is not allowed for {}", name);
+ return null;
+ }
+ }
+ }
+ } catch (URISyntaxException ex) {
+ // This is OK.
+ }
return (T) this.context.lookup(name);
}
@@ -176,13 +251,32 @@ public class JndiManager extends AbstractManager {
@Override
public JndiManager createManager(final String name, final Properties data) {
+ String hosts = data != null ? data.getProperty(ALLOWED_HOSTS) : null;
+ String classes = data != null ? data.getProperty(ALLOWED_CLASSES) : null;
+ List<String> allowedHosts = new ArrayList<>();
+ List<String> allowedClasses = new ArrayList<>();
+ addAll(hosts, allowedHosts, permanentAllowedHosts, ALLOWED_HOSTS, data);
+ addAll(classes, allowedClasses, permanentAllowedClasses, ALLOWED_CLASSES, data);
try {
- return new JndiManager(name, new InitialContext(data));
+ return new JndiManager(name, new InitialDirContext(data), allowedHosts, allowedClasses);
} catch (final NamingException e) {
LOGGER.error("Error creating JNDI InitialContext.", e);
return null;
}
}
+
+ private void addAll(String toSplit, List<String> list, List<String> permanentList, String propertyName,
+ Properties data) {
+ if (toSplit != null) {
+ list.addAll(Arrays.asList(toSplit.split("\\s*,\\s*")));
+ data.remove(propertyName);
+ }
+ toSplit = PropertiesUtil.getProperties().getStringProperty(PREFIX + propertyName);
+ if (toSplit != null) {
+ list.addAll(Arrays.asList(toSplit.split("\\s*,\\s*")));
+ }
+ list.addAll(permanentList);
+ }
}
@Override
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java
index e848822..b9a01ae 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java
@@ -17,6 +17,8 @@
package org.apache.logging.log4j.core.util;
import java.io.File;
+import java.net.Inet4Address;
+import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.NetworkInterface;
@@ -25,11 +27,14 @@ import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.UnknownHostException;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
+import java.util.List;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.status.StatusLogger;
+import org.apache.logging.log4j.util.Strings;
/**
* Networking-related convenience methods.
@@ -78,6 +83,45 @@ public final class NetUtils {
}
}
+ public static List<String> getLocalIps() {
+ List<String> localIps = new ArrayList<>();
+ localIps.add("localhost");
+ localIps.add("127.0.0.1");
+ try {
+ final InetAddress addr = Inet4Address.getLocalHost();
+ setHostName(addr, localIps);
+ } catch (final UnknownHostException ex) {
+ // Ignore this.
+ }
+ try {
+ final Enumeration<NetworkInterface> interfaces = NetworkInterface.getNetworkInterfaces();
+ if (interfaces != null) {
+ while (interfaces.hasMoreElements()) {
+ final NetworkInterface nic = interfaces.nextElement();
+ final Enumeration<InetAddress> addresses = nic.getInetAddresses();
+ while (addresses.hasMoreElements()) {
+ final InetAddress address = addresses.nextElement();
+ setHostName(address, localIps);
+ }
+ }
+ }
+ } catch (final SocketException se) {
+ // ignore.
+ }
+ return localIps;
+ }
+
+ private static void setHostName(InetAddress address, List<String> localIps) {
+ String[] parts = address.toString().split("\\s*/\\s*");
+ if (parts.length > 0) {
+ for (String part : parts) {
+ if (Strings.isNotBlank(part) && !localIps.contains(part)) {
+ localIps.add(part);
+ }
+ }
+ }
+ }
+
/**
* Returns the local network interface's MAC address if possible. The local network interface is defined here as
* the {@link java.net.NetworkInterface} that is both up and not a loopback interface.
diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiExploit.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiExploit.java
new file mode 100644
index 0000000..7b0ae46
--- /dev/null
+++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiExploit.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache license, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the license for the specific language governing permissions and
+ * limitations under the license.
+ */
+package org.apache.logging.log4j.core.lookup;
+
+import javax.naming.Context;
+import javax.naming.Name;
+import javax.naming.spi.ObjectFactory;
+import java.util.Hashtable;
+
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * Test LDAP object
+ */
+public class JndiExploit implements ObjectFactory {
+ @Override
+ public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment)
+ throws Exception {
+ fail("getObjectInstance must not be allowed");
+ return null;
+ }
+}
diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java
new file mode 100644
index 0000000..73129f5
--- /dev/null
+++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java
@@ -0,0 +1,124 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache license, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the license for the specific language governing permissions and
+ * limitations under the license.
+ */
+package org.apache.logging.log4j.core.lookup;
+
+import javax.naming.Context;
+import javax.naming.NamingException;
+import javax.naming.Reference;
+import javax.naming.Referenceable;
+import javax.naming.StringRefAddr;
+
+import org.apache.logging.log4j.Level;
+import org.apache.logging.log4j.message.SimpleMessage;
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.zapodot.junit.ldap.EmbeddedLdapRule;
+import org.zapodot.junit.ldap.EmbeddedLdapRuleBuilder;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+/**
+ * JndiLookupTest
+ */
+public class JndiLdapLookupTest {
+
+ private static final String LDAP_URL = "ldap://127.0.0.1:";
+ private static final String RESOURCE = "JndiExploit";
+ private static final String TEST_STRING = "TestString";
+ private static final String TEST_MESSAGE = "TestMessage";
+ private static final String LEVEL = "TestLevel";
+ public static final String DOMAIN_DSN = "dc=apache,dc=org";
+
+ @Rule
+ public EmbeddedLdapRule embeddedLdapRule = EmbeddedLdapRuleBuilder.newInstance().usingDomainDsn(DOMAIN_DSN)
+ .importingLdifs("java-import.ldif").build();
+
+ @BeforeClass
+ public static void beforeClass() {
+ System.setProperty("log4j2.allowedLdapClasses", Level.class.getName());
+ }
+
+ @Test
+ public void testReferenceLookup() throws Exception {
+ int port = embeddedLdapRule.embeddedServerPort();
+ Context context = embeddedLdapRule.context();
+ context.bind( "cn=" + RESOURCE +"," + DOMAIN_DSN, new Fruit("Test Message"));
+ final StrLookup lookup = new JndiLookup();
+ String result = lookup.lookup(LDAP_URL + port + "/" + "cn=" + RESOURCE + "," + DOMAIN_DSN);
+ if (result != null) {
+ fail("Lookup returned an object");
+ }
+ }
+
+ @Test
+ public void testSerializableLookup() throws Exception {
+ int port = embeddedLdapRule.embeddedServerPort();
+ Context context = embeddedLdapRule.context();
+ context.bind( "cn=" + TEST_STRING +"," + DOMAIN_DSN, "Test Message");
+ final StrLookup lookup = new JndiLookup();
+ String result = lookup.lookup(LDAP_URL + port + "/" + "cn=" + TEST_STRING + "," + DOMAIN_DSN);
+ if (result == null) {
+ fail("Lookup failed to return the test string");
+ }
+ assertEquals("Incorrect message returned", "Test Message", result);
+ }
+
+ @Test
+ public void testBadSerializableLookup() throws Exception {
+ int port = embeddedLdapRule.embeddedServerPort();
+ Context context = embeddedLdapRule.context();
+ context.bind( "cn=" + TEST_MESSAGE +"," + DOMAIN_DSN, new SimpleMessage("Test Message"));
+ final StrLookup lookup = new JndiLookup();
+ String result = lookup.lookup(LDAP_URL + port + "/" + "cn=" + TEST_MESSAGE + "," + DOMAIN_DSN);
+ if (result != null) {
+ fail("Lookup returned an object");
+ }
+ }
+
+ @Test
+ public void testSpecialSerializableLookup() throws Exception {
+ int port = embeddedLdapRule.embeddedServerPort();
+ Context context = embeddedLdapRule.context();
+ context.bind( "cn=" + LEVEL +"," + DOMAIN_DSN, Level.ERROR);
+ final StrLookup lookup = new JndiLookup();
+ String result = lookup.lookup(LDAP_URL + port + "/" + "cn=" + LEVEL + "," + DOMAIN_DSN);
+ if (result == null) {
+ fail("Lookup failed to return the level");
+ }
+ assertEquals("Incorrect level returned", Level.ERROR.toString(), result);
+ }
+
+ class Fruit implements Referenceable {
+ String fruit;
+ public Fruit(String f) {
+ fruit = f;
+ }
+
+ public Reference getReference() throws NamingException {
+
+ return new Reference(Fruit.class.getName(), new StringRefAddr("fruit",
+ fruit), JndiExploit.class.getName(), null); // factory location
+ }
+
+ public String toString() {
+ return fruit;
+ }
+ }
+
+}
diff --git a/log4j-core/src/test/resources/java-import.ldif b/log4j-core/src/test/resources/java-import.ldif
new file mode 100644
index 0000000..35daf43
--- /dev/null
+++ b/log4j-core/src/test/resources/java-import.ldif
@@ -0,0 +1,4 @@
+dn: dc=apache,dc=org
+objectClass: domain
+objectClass: top
+dc: apache
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index d74175d..6fd99f1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -868,6 +868,12 @@
<version>2.2.0</version>
<scope>test</scope>
</dependency>
+ <!-- Testing LDAP -->
+ <dependency>
+ <groupId>org.zapodot</groupId>
+ <artifactId>embedded-ldap-junit</artifactId>
+ <version>0.8.1</version>
+ </dependency>
</dependencies>
</dependencyManagement>
<build>
--
2.27.0

232
CVE-2021-44228-2.patch
View File

@ -1,232 +0,0 @@
From fe3d988db456640c96412e6c2a27ea2d40e51615 Mon Sep 17 00:00:00 2001
From: Ralph Goers <rgoers@apache.org>
Date: Tue, 30 Nov 2021 17:20:24 -0700
Subject: [PATCH] Disable most JNDI protocols
---
.../log4j/core/appender/mom/JmsAppender.java | 13 ++++-
.../logging/log4j/core/lookup/JndiLookup.java | 5 --
.../logging/log4j/core/net/JndiManager.java | 47 +++++++++----------
.../log4j/core/lookup/JndiLdapLookupTest.java | 22 ++++++++-
4 files changed, 56 insertions(+), 31 deletions(-)
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java
index f2190ca91c..35f5b10569 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java
@@ -94,6 +94,9 @@
@PluginBuilderAttribute
private String allowedLdapHosts;
+ @PluginBuilderAttribute
+ private String allowedJndiProtocols;
+
// Programmatic access only for now.
private JmsManager jmsManager;
@@ -115,6 +118,9 @@ public JmsAppender build() {
if (allowedLdapClasses != null) {
additionalProperties.put(JndiManager.ALLOWED_CLASSES, allowedLdapClasses);
}
+ if (allowedJndiProtocols != null) {
+ additionalProperties.put(JndiManager.ALLOWED_PROTOCOLS, allowedJndiProtocols);
+ }
}
final Properties jndiProperties = JndiManager.createProperties(factoryName, providerUrl, urlPkgPrefixes,
securityPrincipalName, securityCredentials, additionalProperties);
@@ -228,6 +234,11 @@ public Builder setAllowedLdapHosts(final String allowedLdapHosts) {
return this;
}
+ public Builder setAllowedJndiProtocols(final String allowedJndiProtocols) {
+ this.allowedJndiProtocols = allowedJndiProtocols;
+ return this;
+ }
+
/**
* Does not include the password.
*/
@@ -239,7 +250,7 @@ public String toString() {
+ ", destinationBindingName=" + destinationBindingName + ", username=" + userName + ", layout="
+ getLayout() + ", filter=" + getFilter() + ", ignoreExceptions=" + isIgnoreExceptions()
+ ", jmsManager=" + jmsManager + ", allowedLdapClasses=" + allowedLdapClasses
- + ", allowedLdapHosts=" + allowedLdapHosts + "]";
+ + ", allowedLdapHosts=" + allowedLdapHosts + ", allowedJndiProtocols=" + allowedJndiProtocols + "]";
}
}
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/JndiLookup.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/JndiLookup.java
index e57d0bebba..30e65ad24f 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/JndiLookup.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/JndiLookup.java
@@ -16,11 +16,6 @@
*/
package org.apache.logging.log4j.core.lookup;
-import java.net.MalformedURLException;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.util.ArrayList;
-import java.util.List;
import java.util.Objects;
import javax.naming.NamingException;
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
index 8a0e68dc66..613a0551da 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
@@ -17,20 +17,17 @@
package org.apache.logging.log4j.core.net;
-import java.io.Serializable;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
+import java.util.Locale;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import javax.naming.Context;
-import javax.naming.NameClassPair;
-import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
-import javax.naming.Referenceable;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
@@ -51,42 +48,36 @@
public static final String ALLOWED_HOSTS = "allowedLdapHosts";
public static final String ALLOWED_CLASSES = "allowedLdapClasses";
+ public static final String ALLOWED_PROTOCOLS = "allowedJndiProtocols";
private static final JndiManagerFactory FACTORY = new JndiManagerFactory();
private static final String PREFIX = "log4j2.";
- private static final List<String> permanentAllowedHosts = new ArrayList<>();
- private static final List<String> permanentAllowedClasses = new ArrayList<>();
private static final String LDAP = "ldap";
+ private static final String LDAPS = "ldaps";
+ private static final String JAVA = "java";
+ private static final List<String> permanentAllowedHosts = NetUtils.getLocalIps();
+ private static final List<String> permanentAllowedClasses = Arrays.asList(Boolean.class.getName(),
+ Byte.class.getName(), Character.class.getName(), Double.class.getName(), Float.class.getName(),
+ Integer.class.getName(), Long.class.getName(), Number.class.getName(), Short.class.getName(),
+ String.class.getName());
+ private static final List<String> permanentAllowedProtocols = Arrays.asList(JAVA, LDAP, LDAPS);
private static final String SERIALIZED_DATA = "javaserializeddata";
private static final String CLASS_NAME = "javaclassname";
private static final String REFERENCE_ADDRESS = "javareferenceaddress";
private static final String OBJECT_FACTORY = "javafactory";
private final List<String> allowedHosts;
private final List<String> allowedClasses;
-
- static {
- permanentAllowedHosts.addAll(NetUtils.getLocalIps());
- permanentAllowedClasses.add(Boolean.class.getName());
- permanentAllowedClasses.add(Byte.class.getName());
- permanentAllowedClasses.add(Character.class.getName());
- permanentAllowedClasses.add(Double.class.getName());
- permanentAllowedClasses.add(Float.class.getName());
- permanentAllowedClasses.add(Integer.class.getName());
- permanentAllowedClasses.add(Long.class.getName());
- permanentAllowedClasses.add(Number.class.getName());
- permanentAllowedClasses.add(Short.class.getName());
- permanentAllowedClasses.add(String.class.getName());
- }
-
+ private final List<String> allowedProtocols;
private final DirContext context;
private JndiManager(final String name, final DirContext context, final List<String> allowedHosts,
- final List<String> allowedClasses) {
+ final List<String> allowedClasses, final List<String> allowedProtocols) {
super(null, name);
this.context = context;
this.allowedHosts = allowedHosts;
this.allowedClasses = allowedClasses;
+ this.allowedProtocols = allowedProtocols;
}
/**
@@ -216,7 +207,11 @@ protected boolean releaseSub(final long timeout, final TimeUnit timeUnit) {
public synchronized <T> T lookup(final String name) throws NamingException {
try {
URI uri = new URI(name);
- if (LDAP.equalsIgnoreCase(uri.getScheme())) {
+ if (!allowedProtocols.contains(uri.getScheme().toLowerCase(Locale.ROOT))) {
+ LOGGER.warn("Log4j JNDI does not allow protocol {}", uri.getScheme());
+ return null;
+ }
+ if (LDAP.equalsIgnoreCase(uri.getScheme()) || LDAPS.equalsIgnoreCase(uri.getScheme())) {
if (!allowedHosts.contains(uri.getHost())) {
LOGGER.warn("Attempt to access ldap server not in allowed list");
return null;
@@ -253,12 +248,16 @@ protected boolean releaseSub(final long timeout, final TimeUnit timeUnit) {
public JndiManager createManager(final String name, final Properties data) {
String hosts = data != null ? data.getProperty(ALLOWED_HOSTS) : null;
String classes = data != null ? data.getProperty(ALLOWED_CLASSES) : null;
+ String protocols = data != null ? data.getProperty(ALLOWED_PROTOCOLS) : null;
List<String> allowedHosts = new ArrayList<>();
List<String> allowedClasses = new ArrayList<>();
+ List<String> allowedProtocols = new ArrayList<>();
addAll(hosts, allowedHosts, permanentAllowedHosts, ALLOWED_HOSTS, data);
addAll(classes, allowedClasses, permanentAllowedClasses, ALLOWED_CLASSES, data);
+ addAll(protocols, allowedProtocols, permanentAllowedProtocols, ALLOWED_PROTOCOLS, data);
try {
- return new JndiManager(name, new InitialDirContext(data), allowedHosts, allowedClasses);
+ return new JndiManager(name, new InitialDirContext(data), allowedHosts, allowedClasses,
+ allowedProtocols);
} catch (final NamingException e) {
LOGGER.error("Error creating JNDI InitialContext.", e);
return null;
diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java
index 73129f5a91..a26d927da4 100644
--- a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java
+++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java
@@ -43,7 +43,8 @@
private static final String TEST_STRING = "TestString";
private static final String TEST_MESSAGE = "TestMessage";
private static final String LEVEL = "TestLevel";
- public static final String DOMAIN_DSN = "dc=apache,dc=org";
+ private static final String DOMAIN_DSN = "dc=apache,dc=org";
+ private static final String DOMAIN = "apache.org";
@Rule
public EmbeddedLdapRule embeddedLdapRule = EmbeddedLdapRuleBuilder.newInstance().usingDomainDsn(DOMAIN_DSN)
@@ -52,6 +53,7 @@
@BeforeClass
public static void beforeClass() {
System.setProperty("log4j2.allowedLdapClasses", Level.class.getName());
+ System.setProperty("log4j2.allowedJndiProtocols", "dns");
}
@Test
@@ -104,6 +106,24 @@ public void testSpecialSerializableLookup() throws Exception {
assertEquals("Incorrect level returned", Level.ERROR.toString(), result);
}
+ @Test
+ public void testDnsLookup() throws Exception {
+ final StrLookup lookup = new JndiLookup();
+ String result = lookup.lookup("dns:/" + DOMAIN);
+ if (result == null) {
+ fail("No DNS data returned");
+ }
+ }
+
+ @Test
+ public void testNisLookup() throws Exception {
+ final StrLookup lookup = new JndiLookup();
+ String result = lookup.lookup("nis:/" + DOMAIN);
+ if (result != null) {
+ fail("NIS information should not have been returned");
+ }
+ }
+
class Fruit implements Referenceable {
String fruit;
public Fruit(String f) {

112
CVE-2021-44228-3.patch
View File

@ -1,112 +0,0 @@
From 5f81dd218aab36bf1c6a7410c88c29594bb1a0e7 Mon Sep 17 00:00:00 2001
From: Ralph Goers <rgoers@apache.org>
Date: Tue, 30 Nov 2021 22:38:22 -0700
Subject: [PATCH] Rename test. Various minor fixes
---
.../logging/log4j/core/net/JndiManager.java | 31 +++++++++++++------
...est.java => JndiRestrictedLookupTest.java} | 4 +--
...-import.ldif => JndiRestrictedLookup.ldif} | 0
3 files changed, 24 insertions(+), 11 deletions(-)
rename log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/{JndiLdapLookupTest.java => JndiRestrictedLookupTest.java} (98%)
rename log4j-core/src/test/resources/{java-import.ldif => JndiRestrictedLookup.ldif} (100%)
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
index 613a0551da..b392b938b4 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
@@ -21,12 +21,15 @@
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.HashMap;
import java.util.List;
import java.util.Locale;
+import java.util.Map;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import javax.naming.Context;
+import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
@@ -58,13 +61,12 @@
private static final List<String> permanentAllowedHosts = NetUtils.getLocalIps();
private static final List<String> permanentAllowedClasses = Arrays.asList(Boolean.class.getName(),
Byte.class.getName(), Character.class.getName(), Double.class.getName(), Float.class.getName(),
- Integer.class.getName(), Long.class.getName(), Number.class.getName(), Short.class.getName(),
- String.class.getName());
+ Integer.class.getName(), Long.class.getName(), Short.class.getName(), String.class.getName());
private static final List<String> permanentAllowedProtocols = Arrays.asList(JAVA, LDAP, LDAPS);
- private static final String SERIALIZED_DATA = "javaserializeddata";
- private static final String CLASS_NAME = "javaclassname";
- private static final String REFERENCE_ADDRESS = "javareferenceaddress";
- private static final String OBJECT_FACTORY = "javafactory";
+ private static final String SERIALIZED_DATA = "javaSerializedData";
+ private static final String CLASS_NAME = "javaClassName";
+ private static final String REFERENCE_ADDRESS = "javaReferenceAddress";
+ private static final String OBJECT_FACTORY = "javaFactory";
private final List<String> allowedHosts;
private final List<String> allowedClasses;
private final List<String> allowedProtocols;
@@ -218,8 +220,18 @@ protected boolean releaseSub(final long timeout, final TimeUnit timeUnit) {
}
Attributes attributes = this.context.getAttributes(name);
if (attributes != null) {
- Attribute classNameAttr = attributes.get(CLASS_NAME);
- if (attributes.get(SERIALIZED_DATA) != null) {
+ // In testing the "key" for attributes seems to be lowercase while the attribute id is
+ // camelcase, but that may just be true for the test LDAP used here. This copies the Attributes
+ // to a Map ignoring the "key" and using the Attribute's id as the key in the Map so it matches
+ // the Java schema.
+ Map<String, Attribute> attributeMap = new HashMap<>();
+ NamingEnumeration<? extends Attribute> enumeration = attributes.getAll();
+ while (enumeration.hasMore()) {
+ Attribute attribute = enumeration.next();
+ attributeMap.put(attribute.getID(), attribute);
+ }
+ Attribute classNameAttr = attributeMap.get(CLASS_NAME);
+ if (attributeMap.get(SERIALIZED_DATA) != null) {
if (classNameAttr != null) {
String className = classNameAttr.get().toString();
if (!allowedClasses.contains(className)) {
@@ -230,7 +242,8 @@ protected boolean releaseSub(final long timeout, final TimeUnit timeUnit) {
LOGGER.warn("No class name provided for {}", name);
return null;
}
- } else if (attributes.get(REFERENCE_ADDRESS) != null || attributes.get(OBJECT_FACTORY) != null){
+ } else if (attributeMap.get(REFERENCE_ADDRESS) != null
+ || attributeMap.get(OBJECT_FACTORY) != null) {
LOGGER.warn("Referenceable class is not allowed for {}", name);
return null;
}
diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java
similarity index 98%
rename from log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java
rename to log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java
index a26d927da4..032c9c4d85 100644
--- a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java
+++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java
@@ -36,7 +36,7 @@
/**
* JndiLookupTest
*/
-public class JndiLdapLookupTest {
+public class JndiRestrictedLookupTest {
private static final String LDAP_URL = "ldap://127.0.0.1:";
private static final String RESOURCE = "JndiExploit";
@@ -48,7 +48,7 @@
@Rule
public EmbeddedLdapRule embeddedLdapRule = EmbeddedLdapRuleBuilder.newInstance().usingDomainDsn(DOMAIN_DSN)
- .importingLdifs("java-import.ldif").build();
+ .importingLdifs("JndiRestrictedLookup.ldif").build();
@BeforeClass
public static void beforeClass() {
diff --git a/log4j-core/src/test/resources/java-import.ldif b/log4j-core/src/test/resources/JndiRestrictedLookup.ldif
similarity index 100%
rename from log4j-core/src/test/resources/java-import.ldif
rename to log4j-core/src/test/resources/JndiRestrictedLookup.ldif

237
CVE-2021-44228-4.patch
View File

@ -1,237 +0,0 @@
From 7fe72d62fcb9246be792b946e405e1d40d402780 Mon Sep 17 00:00:00 2001
From: Ralph Goers <rgoers@apache.org>
Date: Sat, 4 Dec 2021 20:59:39 -0700
Subject: [PATCH] LOG4J2-3201 - Limit the protocols JNDI can use by default.
Limit the servers and classes that can be accessed via LDAP.
---
.../logging/log4j/core/net/JndiManager.java | 62 ++++++++++---------
.../logging/log4j/core/util/NetUtils.java | 4 ++
src/changes/changes.xml | 3 +
src/site/xdoc/manual/appenders.xml | 27 ++++++++
src/site/xdoc/manual/configuration.xml.vm | 26 ++++++++
src/site/xdoc/manual/extending.xml | 5 +-
src/site/xdoc/manual/lookups.xml | 7 +++
7 files changed, 103 insertions(+), 31 deletions(-)
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
index b392b93..2d7604f 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
@@ -209,43 +209,45 @@ public class JndiManager extends AbstractManager {
public synchronized <T> T lookup(final String name) throws NamingException {
try {
URI uri = new URI(name);
- if (!allowedProtocols.contains(uri.getScheme().toLowerCase(Locale.ROOT))) {
- LOGGER.warn("Log4j JNDI does not allow protocol {}", uri.getScheme());
- return null;
- }
- if (LDAP.equalsIgnoreCase(uri.getScheme()) || LDAPS.equalsIgnoreCase(uri.getScheme())) {
- if (!allowedHosts.contains(uri.getHost())) {
- LOGGER.warn("Attempt to access ldap server not in allowed list");
+ if (uri.getScheme() != null) {
+ if (!allowedProtocols.contains(uri.getScheme().toLowerCase(Locale.ROOT))) {
+ LOGGER.warn("Log4j JNDI does not allow protocol {}", uri.getScheme());
return null;
}
- Attributes attributes = this.context.getAttributes(name);
- if (attributes != null) {
- // In testing the "key" for attributes seems to be lowercase while the attribute id is
- // camelcase, but that may just be true for the test LDAP used here. This copies the Attributes
- // to a Map ignoring the "key" and using the Attribute's id as the key in the Map so it matches
- // the Java schema.
- Map<String, Attribute> attributeMap = new HashMap<>();
- NamingEnumeration<? extends Attribute> enumeration = attributes.getAll();
- while (enumeration.hasMore()) {
- Attribute attribute = enumeration.next();
- attributeMap.put(attribute.getID(), attribute);
+ if (LDAP.equalsIgnoreCase(uri.getScheme()) || LDAPS.equalsIgnoreCase(uri.getScheme())) {
+ if (!allowedHosts.contains(uri.getHost())) {
+ LOGGER.warn("Attempt to access ldap server not in allowed list");
+ return null;
}
- Attribute classNameAttr = attributeMap.get(CLASS_NAME);
- if (attributeMap.get(SERIALIZED_DATA) != null) {
- if (classNameAttr != null) {
- String className = classNameAttr.get().toString();
- if (!allowedClasses.contains(className)) {
- LOGGER.warn("Deserialization of {} is not allowed", className);
+ Attributes attributes = this.context.getAttributes(name);
+ if (attributes != null) {
+ // In testing the "key" for attributes seems to be lowercase while the attribute id is
+ // camelcase, but that may just be true for the test LDAP used here. This copies the Attributes
+ // to a Map ignoring the "key" and using the Attribute's id as the key in the Map so it matches
+ // the Java schema.
+ Map<String, Attribute> attributeMap = new HashMap<>();
+ NamingEnumeration<? extends Attribute> enumeration = attributes.getAll();
+ while (enumeration.hasMore()) {
+ Attribute attribute = enumeration.next();
+ attributeMap.put(attribute.getID(), attribute);
+ }
+ Attribute classNameAttr = attributeMap.get(CLASS_NAME);
+ if (attributeMap.get(SERIALIZED_DATA) != null) {
+ if (classNameAttr != null) {
+ String className = classNameAttr.get().toString();
+ if (!allowedClasses.contains(className)) {
+ LOGGER.warn("Deserialization of {} is not allowed", className);
+ return null;
+ }
+ } else {
+ LOGGER.warn("No class name provided for {}", name);
return null;
}
- } else {
- LOGGER.warn("No class name provided for {}", name);
+ } else if (attributeMap.get(REFERENCE_ADDRESS) != null
+ || attributeMap.get(OBJECT_FACTORY) != null) {
+ LOGGER.warn("Referenceable class is not allowed for {}", name);
return null;
}
- } else if (attributeMap.get(REFERENCE_ADDRESS) != null
- || attributeMap.get(OBJECT_FACTORY) != null) {
- LOGGER.warn("Referenceable class is not allowed for {}", name);
- return null;
}
}
}
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java
index b9a01ae..6adac59 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java
@@ -83,6 +83,10 @@ public final class NetUtils {
}
}
+ /**
+ * Returns all the local host names and ip addresses.
+ * @return The local host names and ip addresses.
+ */
public static List<String> getLocalIps() {
List<String> localIps = new ArrayList<>();
localIps.add("localhost");
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 9c44684..f2d9c57 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -30,6 +30,9 @@
- "remove" - Removed
-->
<release version="2.13.2" date="2020-04-23" description="GA Release 2.13.2">
+ <action issue="LOG4J2-3201" dev="rgoers" type="fix">
+ Limit the protocols JNDI can use by default. Limit the servers and classes that can be accessed via LDAP.
+ </action>
<action issue="LOG4J2-2824" dev="rgoers" type="fix" due-to="CrazyBills">
Implement requiresLocation in GelfLayout to reflect whether location information is used in the message Pattern.
</action>
diff --git a/src/site/xdoc/manual/appenders.xml b/src/site/xdoc/manual/appenders.xml
index ab40094..267f54f 100644
--- a/src/site/xdoc/manual/appenders.xml
+++ b/src/site/xdoc/manual/appenders.xml
@@ -1542,6 +1542,33 @@ public class ConnectionFactory {
<th>Default</th>
<th>Description</th>
</tr>
+ <tr>
+ <td>allowdLdapClasses</td>
+ <td>String</td>
+ <td>null</td>
+ <td>
+ A comma separated list of fully qualified class names that may be accessed by LDAP. The classes
+ must implement Serializable. Only applies when the JMS Appender By default only Java primative classes are allowed.
+ </td>
+ </tr>
+ <tr>
+ <td>allowdLdapHosts</td>
+ <td>String</td>
+ <td>null</td>
+ <td>
+ A comma separated list of host names or ip addresses that may be accessed by LDAP. By default only
+ the local host names and ip addresses are allowed.
+ </td>
+ </tr>
+ <tr>
+ <td>allowdJndiProtocols</td>
+ <td>String</td>
+ <td>null</td>
+ <td>
+ A comma separated list of protocol names that JNDI will allow. By default only java, ldap, and ldaps
+ are the only allowed protocols.
+ </td>
+ </tr>
<tr>
<td>factoryBindingName</td>
<td>String</td>
diff --git a/src/site/xdoc/manual/configuration.xml.vm b/src/site/xdoc/manual/configuration.xml.vm
index a3da3b8..402a96c 100644
--- a/src/site/xdoc/manual/configuration.xml.vm
+++ b/src/site/xdoc/manual/configuration.xml.vm
@@ -1960,6 +1960,32 @@ public class AwesomeTest {
before falling back to the default class loader.
</td>
</tr>
+ <tr>
+ <td><a name="allowedLdapClasses"/>log4j2.allowedLdapClasses</td>
+ <td>LOG4J_ALLOWED_LDAP_CLASSES</td>
+ <td>&nbsp;</td>
+ <td>
+ System property that specifies fully qualified class names that may be accessed by LDAP. The classes
+ must implement Serializable. By default only Java primative classes are allowed.
+ </td>
+ </tr>
+ <tr>
+ <td><a name="allowedLdapHosts"/>log4j2.allowedLdapHosts</td>
+ <td>LOG4J_ALLOWED_LDAP_HOSTS</td>
+ <td>&nbsp;</td>
+ <td>
+ System property that adds host names or ip addresses that may be access by LDAP. By default it only allows
+ the local host names and ip addresses.
+ </td>
+ </tr>
+ <tr>
+ <td><a name="allowedJndiProtocols"/>log4j2.allowedJndiProtocols</td>
+ <td>LOG4J_ALLOWED_JNDI_PROTOCOLS</td>
+ <td>&nbsp;</td>
+ <td>
+ System property that adds protocol names that JNDI will allow. By default it only allows java, ldap, and ldaps.
+ </td>
+ </tr>
<tr>
<td><a name="uuidSequence"/>log4j2.uuidSequence
<br />
diff --git a/src/site/xdoc/manual/extending.xml b/src/site/xdoc/manual/extending.xml
index ba04d68..04c742a 100644
--- a/src/site/xdoc/manual/extending.xml
+++ b/src/site/xdoc/manual/extending.xml
@@ -92,7 +92,10 @@
<dd>Associates LoggerContexts with the ClassLoader that created the caller of the getLogger call. This is
the default ContextSelector.</dd>
<dt><a class="javadoc" href="../log4j-core/apidocs/org/apache/logging/log4j/core/selector/JndiContextSelector.html">JndiContextSelector</a></dt>
- <dd>Locates the LoggerContext by querying JNDI.</dd>
+ <dd>Locates the LoggerContext by querying JNDI. Please see <a href="../manual/configuration.html#allowedJndiProtocols">log4j2.allowedJndiProtocols</a>,
+ <a href="../manual/configuration.html#allowedLdapClasses">log4j2.allowedLdapClasses</a>, and
+ <a href="../manual/configuration.html#allowedLdapHosts">log4j2.allowedLdapHosts</a> for restrictions on using JNDI
+ with Log4j.</dd>
<dt><a class="javadoc" href="../log4j-core/apidocs/org/apache/logging/log4j/core/async/AsyncLoggerContextSelector.html">AsyncLoggerContextSelector</a></dt>
<dd>Creates a LoggerContext that ensures that all loggers are AsyncLoggers.</dd>
<dt><a class="javadoc" href="../log4j-core/apidocs/org/apache/logging/log4j/core/osgi/BundleContextSelector.html">BundleContextSelector</a></dt>
diff --git a/src/site/xdoc/manual/lookups.xml b/src/site/xdoc/manual/lookups.xml
index d699e78..cc6a66f 100644
--- a/src/site/xdoc/manual/lookups.xml
+++ b/src/site/xdoc/manual/lookups.xml
@@ -270,6 +270,13 @@
The JndiLookup allows variables to be retrieved via JNDI. By default the key will be prefixed with
java:comp/env/, however if the key contains a ":" no prefix will be added.
</p>
+ <p>By default the JDNI Lookup only supports the java, ldap, and ldaps protocols or no protocol. Additional
+ protocols may be supported by specifying them on the <code>log4j2.allowedJndiProtocols</code> property.
+ When using LDAP Java classes that implement the Referenceable interface are not supported for security
+ reasons. Only the Java primative classes are supported by default as well as any classes specified by the
+ <code>log4j2.allowedLdapClasses</code> property. When using LDAP only references to the local host name
+ or ip address are supported along with any hosts or ip addresses listed in the
+ <code>log4j2.allowedLdapHosts</code> property.</p>
<pre class="prettyprint linenums"><![CDATA[
<File name="Application" fileName="application.log">
<PatternLayout>
--
2.27.0

459
CVE-2021-45046.patch
View File

@ -1,459 +0,0 @@
From e68ff3edf50b334668dd5563e746a491a58935ff Mon Sep 17 00:00:00 2001
From: Ralph Goers <rgoers@apache.org>
Date: Sat, 11 Dec 2021 16:05:14 -0700
Subject: [PATCH] LOG4J2-3208 - Disable JNDI by default
---
.../log4j/core/appender/mom/JmsManager.java | 13 ++--
.../log4j/core/lookup/Interpolator.java | 19 ++++--
.../logging/log4j/core/net/JndiManager.java | 54 +++++++++++-----
.../core/selector/JndiContextSelector.java | 6 ++
.../core/appender/mom/JmsAppenderTest.java | 6 ++
.../routing/RoutingAppenderWithJndiTest.java | 10 ++-
.../log4j/core/lookup/InterpolatorTest.java | 3 +
.../core/lookup/JndiDisabledLookupTest.java | 64 +++++++++++++++++++
.../log4j/core/lookup/JndiLookupTest.java | 6 ++
.../core/lookup/JndiRestrictedLookupTest.java | 1 +
src/site/xdoc/manual/appenders.xml | 3 +
src/site/xdoc/manual/configuration.xml.vm | 8 +++
src/site/xdoc/manual/logsep.xml | 3 +
src/site/xdoc/manual/lookups.xml | 5 ++
14 files changed, 172 insertions(+), 29 deletions(-)
create mode 100644 log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiDisabledLookupTest.java
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsManager.java
index ad57358..671cd5d 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsManager.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsManager.java
@@ -125,10 +125,15 @@ public class JmsManager extends AbstractManager {
@Override
public JmsManager createManager(final String name, final JmsManagerConfiguration data) {
- try {
- return new JmsManager(name, data);
- } catch (final Exception e) {
- logger().error("Error creating JmsManager using JmsManagerConfiguration [{}]", data, e);
+ if (JndiManager.isIsJndiEnabled()) {
+ try {
+ return new JmsManager(name, data);
+ } catch (final Exception e) {
+ logger().error("Error creating JmsManager using JmsManagerConfiguration [{}]", data, e);
+ return null;
+ }
+ } else {
+ logger().error("JNDI has not been enabled. The log4j2.enableJndi property must be set to true");
return null;
}
}
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java
index f0c40f5..827b77e 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java
@@ -26,6 +26,7 @@ import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.config.ConfigurationAware;
import org.apache.logging.log4j.core.config.plugins.util.PluginManager;
import org.apache.logging.log4j.core.config.plugins.util.PluginType;
+import org.apache.logging.log4j.core.net.JndiManager;
import org.apache.logging.log4j.core.util.Loader;
import org.apache.logging.log4j.core.util.ReflectionUtil;
import org.apache.logging.log4j.status.StatusLogger;
@@ -77,7 +78,9 @@ public class Interpolator extends AbstractConfigurationAwareLookup {
for (final Map.Entry<String, PluginType<?>> entry : plugins.entrySet()) {
try {
final Class<? extends StrLookup> clazz = entry.getValue().getPluginClass().asSubclass(StrLookup.class);
- strLookupMap.put(entry.getKey().toLowerCase(), ReflectionUtil.instantiate(clazz));
+ if (!clazz.getName().equals(JndiLookup.class.getName()) || JndiManager.isIsJndiEnabled()) {
+ strLookupMap.put(entry.getKey().toLowerCase(), ReflectionUtil.instantiate(clazz));
+ }
} catch (final Throwable t) {
handleError(entry.getKey(), t);
}
@@ -106,12 +109,14 @@ public class Interpolator extends AbstractConfigurationAwareLookup {
strLookupMap.put("lower", new LowerLookup());
strLookupMap.put("upper", new UpperLookup());
// JNDI
- try {
- // [LOG4J2-703] We might be on Android
- strLookupMap.put(LOOKUP_KEY_JNDI,
- Loader.newCheckedInstanceOf("org.apache.logging.log4j.core.lookup.JndiLookup", StrLookup.class));
- } catch (final LinkageError | Exception e) {
- handleError(LOOKUP_KEY_JNDI, e);
+ if (JndiManager.isIsJndiEnabled()) {
+ try {
+ // [LOG4J2-703] We might be on Android
+ strLookupMap.put(LOOKUP_KEY_JNDI,
+ Loader.newCheckedInstanceOf("org.apache.logging.log4j.core.lookup.JndiLookup", StrLookup.class));
+ } catch (final LinkageError | Exception e) {
+ handleError(LOOKUP_KEY_JNDI, e);
+ }
}
// JMX input args
try {
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
index 2d7604f..d946cd1 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
@@ -73,6 +73,10 @@ public class JndiManager extends AbstractManager {
private final DirContext context;
+ public static boolean isIsJndiEnabled() {
+ return PropertiesUtil.getProperties().getBooleanProperty("log4j2.enableJndi", false);
+ }
+
private JndiManager(final String name, final DirContext context, final List<String> allowedHosts,
final List<String> allowedClasses, final List<String> allowedProtocols) {
super(null, name);
@@ -82,6 +86,14 @@ public class JndiManager extends AbstractManager {
this.allowedProtocols = allowedProtocols;
}
+ private JndiManager(final String name) {
+ super(null, name);
+ this.context = null;
+ this.allowedProtocols = null;
+ this.allowedClasses = null;
+ this.allowedHosts = null;
+ }
+
/**
* Gets the default JndiManager using the default {@link javax.naming.InitialContext}.
*
@@ -194,7 +206,10 @@ public class JndiManager extends AbstractManager {
@Override
protected boolean releaseSub(final long timeout, final TimeUnit timeUnit) {
- return JndiCloser.closeSilently(this.context);
+ if (context != null) {
+ return JndiCloser.closeSilently(this.context);
+ }
+ return true;
}
/**
@@ -207,6 +222,9 @@ public class JndiManager extends AbstractManager {
*/
@SuppressWarnings("unchecked")
public synchronized <T> T lookup(final String name) throws NamingException {
+ if (context == null) {
+ return null;
+ }
try {
URI uri = new URI(name);
if (uri.getScheme() != null) {
@@ -261,21 +279,25 @@ public class JndiManager extends AbstractManager {
@Override
public JndiManager createManager(final String name, final Properties data) {
- String hosts = data != null ? data.getProperty(ALLOWED_HOSTS) : null;
- String classes = data != null ? data.getProperty(ALLOWED_CLASSES) : null;
- String protocols = data != null ? data.getProperty(ALLOWED_PROTOCOLS) : null;
- List<String> allowedHosts = new ArrayList<>();
- List<String> allowedClasses = new ArrayList<>();
- List<String> allowedProtocols = new ArrayList<>();
- addAll(hosts, allowedHosts, permanentAllowedHosts, ALLOWED_HOSTS, data);
- addAll(classes, allowedClasses, permanentAllowedClasses, ALLOWED_CLASSES, data);
- addAll(protocols, allowedProtocols, permanentAllowedProtocols, ALLOWED_PROTOCOLS, data);
- try {
- return new JndiManager(name, new InitialDirContext(data), allowedHosts, allowedClasses,
- allowedProtocols);
- } catch (final NamingException e) {
- LOGGER.error("Error creating JNDI InitialContext.", e);
- return null;
+ if (isIsJndiEnabled()) {
+ String hosts = data != null ? data.getProperty(ALLOWED_HOSTS) : null;
+ String classes = data != null ? data.getProperty(ALLOWED_CLASSES) : null;
+ String protocols = data != null ? data.getProperty(ALLOWED_PROTOCOLS) : null;
+ List<String> allowedHosts = new ArrayList<>();
+ List<String> allowedClasses = new ArrayList<>();
+ List<String> allowedProtocols = new ArrayList<>();
+ addAll(hosts, allowedHosts, permanentAllowedHosts, ALLOWED_HOSTS, data);
+ addAll(classes, allowedClasses, permanentAllowedClasses, ALLOWED_CLASSES, data);
+ addAll(protocols, allowedProtocols, permanentAllowedProtocols, ALLOWED_PROTOCOLS, data);
+ try {
+ return new JndiManager(name, new InitialDirContext(data), allowedHosts, allowedClasses,
+ allowedProtocols);
+ } catch (final NamingException e) {
+ LOGGER.error("Error creating JNDI InitialContext.", e);
+ return null;
+ }
+ } else {
+ return new JndiManager(name);
}
}
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/selector/JndiContextSelector.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/selector/JndiContextSelector.java
index 09bd0a6..43afdb7 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/selector/JndiContextSelector.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/selector/JndiContextSelector.java
@@ -93,6 +93,12 @@ public class JndiContextSelector implements NamedContextSelector {
private static final StatusLogger LOGGER = StatusLogger.getLogger();
+ public JndiContextSelector() {
+ if (!JndiManager.isIsJndiEnabled()) {
+ throw new IllegalStateException("JNDI must be enabled by setting log4j2.enableJndi=true");
+ }
+ }
+
@Override
public void shutdown(String fqcn, ClassLoader loader, boolean currentContext, boolean allContexts) {
LoggerContext ctx = ContextAnchor.THREAD_CONTEXT.get();
diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java
index 9216ef8..daf2d0e 100644
--- a/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java
+++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java
@@ -49,6 +49,7 @@ import org.apache.logging.log4j.message.Message;
import org.apache.logging.log4j.message.SimpleMessage;
import org.apache.logging.log4j.message.StringMapMessage;
import org.junit.Before;
+import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
@@ -83,6 +84,11 @@ public class JmsAppenderTest {
@Rule
public RuleChain rules = RuleChain.outerRule(jndiRule).around(ctx);
+ @BeforeClass
+ public static void beforeClass() throws Exception {
+ System.setProperty("log4j2.enableJndi", "true");
+ }
+
public JmsAppenderTest() throws Exception {
// this needs to set up before LoggerContextRule
given(connectionFactory.createConnection()).willReturn(connection);
diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/routing/RoutingAppenderWithJndiTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/routing/RoutingAppenderWithJndiTest.java
index 02a8a79..4ed02f2 100644
--- a/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/routing/RoutingAppenderWithJndiTest.java
+++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/routing/RoutingAppenderWithJndiTest.java
@@ -18,6 +18,7 @@ package org.apache.logging.log4j.core.appender.routing;
import java.io.File;
import java.util.Collections;
+import java.util.Map;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
@@ -29,6 +30,7 @@ import org.apache.logging.log4j.message.StructuredDataMessage;
import org.apache.logging.log4j.test.appender.ListAppender;
import org.junit.After;
import org.junit.Before;
+import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.RuleChain;
@@ -47,8 +49,12 @@ public class RoutingAppenderWithJndiTest {
public static LoggerContextRule loggerContextRule = new LoggerContextRule("log4j-routing-by-jndi.xml");
@ClassRule
- public static RuleChain rules = RuleChain.outerRule(new JndiRule(Collections.<String, Object>emptyMap()))
- .around(loggerContextRule);
+ public static RuleChain rules = RuleChain.outerRule(new JndiRule(initBindings())).around(loggerContextRule);
+
+ private static Map<String, Object> initBindings() {
+ System.setProperty("log4j2.enableJndi", "true");
+ return Collections.emptyMap();
+ }
@Before
public void before() throws NamingException {
diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/InterpolatorTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/InterpolatorTest.java
index 9e55563..7ce5fa7 100644
--- a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/InterpolatorTest.java
+++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/InterpolatorTest.java
@@ -23,6 +23,7 @@ import java.util.Map;
import org.apache.logging.log4j.ThreadContext;
import org.apache.logging.log4j.junit.JndiRule;
+import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.ExternalResource;
@@ -48,12 +49,14 @@ public class InterpolatorTest {
protected void before() throws Throwable {
System.setProperty(TESTKEY, TESTVAL);
System.setProperty(TESTKEY2, TESTVAL);
+ System.setProperty("log4j2.enableJndi", "true");
}
@Override
protected void after() {
System.clearProperty(TESTKEY);
System.clearProperty(TESTKEY2);
+ System.clearProperty("log4j2.enableJndi");
}
}).around(new JndiRule(
JndiLookup.CONTAINER_JNDI_RESOURCE_PATH_PREFIX + TEST_CONTEXT_RESOURCE_NAME, TEST_CONTEXT_NAME));
diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiDisabledLookupTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiDisabledLookupTest.java
new file mode 100644
index 0000000..eb44bc6
--- /dev/null
+++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiDisabledLookupTest.java
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache license, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the license for the specific language governing permissions and
+ * limitations under the license.
+ */
+package org.apache.logging.log4j.core.lookup;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.logging.log4j.junit.JndiRule;
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+
+/**
+ * JndiDisabledLookupTest
+ *
+ * Verifies the Lookups are disabled without the log4j2.enableJndi property set to true.
+ */
+public class JndiDisabledLookupTest {
+
+ private static final String TEST_CONTEXT_RESOURCE_NAME = "logging/context-name";
+ private static final String TEST_CONTEXT_NAME = "app-1";
+ private static final String TEST_INTEGRAL_NAME = "int-value";
+ private static final int TEST_INTEGRAL_VALUE = 42;
+ private static final String TEST_STRINGS_NAME = "string-collection";
+ private static final Collection<String> TEST_STRINGS_COLLECTION = Arrays.asList("one", "two", "three");
+
+ @Rule
+ public JndiRule jndiRule = new JndiRule(createBindings());
+
+ private Map<String, Object> createBindings() {
+ final Map<String, Object> map = new HashMap<>();
+ map.put(JndiLookup.CONTAINER_JNDI_RESOURCE_PATH_PREFIX + TEST_CONTEXT_RESOURCE_NAME, TEST_CONTEXT_NAME);
+ map.put(JndiLookup.CONTAINER_JNDI_RESOURCE_PATH_PREFIX + TEST_INTEGRAL_NAME, TEST_INTEGRAL_VALUE);
+ map.put(JndiLookup.CONTAINER_JNDI_RESOURCE_PATH_PREFIX + TEST_STRINGS_NAME, TEST_STRINGS_COLLECTION);
+ return map;
+ }
+
+ @Test
+ public void testLookup() {
+ final StrLookup lookup = new JndiLookup();
+
+ String contextName = lookup.lookup(TEST_CONTEXT_RESOURCE_NAME);
+ assertNull(contextName);
+ }
+}
diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLookupTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLookupTest.java
index c2e34e3..530d1ee 100644
--- a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLookupTest.java
+++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLookupTest.java
@@ -22,6 +22,7 @@ import java.util.HashMap;
import java.util.Map;
import org.apache.logging.log4j.junit.JndiRule;
+import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
@@ -42,6 +43,11 @@ public class JndiLookupTest {
@Rule
public JndiRule jndiRule = new JndiRule(createBindings());
+ @BeforeClass
+ public static void beforeClass() {
+ System.setProperty("log4j2.enableJndi", "true");
+ }
+
private Map<String, Object> createBindings() {
final Map<String, Object> map = new HashMap<>();
map.put(JndiLookup.CONTAINER_JNDI_RESOURCE_PATH_PREFIX + TEST_CONTEXT_RESOURCE_NAME, TEST_CONTEXT_NAME);
diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java
index 032c9c4..5a6d0ac 100644
--- a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java
+++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java
@@ -54,6 +54,7 @@ public class JndiRestrictedLookupTest {
public static void beforeClass() {
System.setProperty("log4j2.allowedLdapClasses", Level.class.getName());
System.setProperty("log4j2.allowedJndiProtocols", "dns");
+ System.setProperty("log4j2.enableJndi", "true");
}
@Test
diff --git a/src/site/xdoc/manual/appenders.xml b/src/site/xdoc/manual/appenders.xml
index 267f54f..bcf6232 100644
--- a/src/site/xdoc/manual/appenders.xml
+++ b/src/site/xdoc/manual/appenders.xml
@@ -1527,6 +1527,9 @@ public class ConnectionFactory {
<a name="JMSTopicAppender"/>
<subsection name="JMS Appender">
<p>The JMS Appender sends the formatted log event to a JMS Destination.</p>
+ <p>The JMS Appender requires JNDI support so as of release 2.15.1 this appender will not function unless
+ <code>log4j2.enableJndi=true</code>log4j2.enableJndi=true is configured as a system property or environment
+ variable. See the <a href="./configuration.html#enableJndi">enableJndi</a> system property.</p>
<p>
Note that in Log4j 2.0, this appender was split into a JMSQueueAppender and a JMSTopicAppender. Starting
in Log4j 2.1, these appenders were combined into the JMS Appender which makes no distinction between queues
diff --git a/src/site/xdoc/manual/configuration.xml.vm b/src/site/xdoc/manual/configuration.xml.vm
index 402a96c..69737de 100644
--- a/src/site/xdoc/manual/configuration.xml.vm
+++ b/src/site/xdoc/manual/configuration.xml.vm
@@ -1960,6 +1960,14 @@ public class AwesomeTest {
before falling back to the default class loader.
</td>
</tr>
+ <tr>
+ <td><a name="enableJndi"/>log4j2.enableJndi</td>
+ <td>LOG4J_ENABLE_JNDI</td>
+ <td>false</td>
+ <td>
+ When true, Log4j components that use JNDI are enabled. When false, the default, they are disabled.
+ </td>
+ </tr>
<tr>
<td><a name="allowedLdapClasses"/>log4j2.allowedLdapClasses</td>
<td>LOG4J_ALLOWED_LDAP_CLASSES</td>
diff --git a/src/site/xdoc/manual/logsep.xml b/src/site/xdoc/manual/logsep.xml
index 55b59eb..6d8694a 100644
--- a/src/site/xdoc/manual/logsep.xml
+++ b/src/site/xdoc/manual/logsep.xml
@@ -111,6 +111,9 @@
to use JNDI to locate each web application's <code>LoggerContext</code>. Be sure to set the
<code>isLog4jContextSelectorNamed</code> context parameter to <kbd>true</kbd> and also set the
<code>log4jContextName</code> and <code>log4jConfiguration</code> context parameters.
+ Note that the JndiContextSelector will not work unless <code>log4j2.enableJndi=true</code> is set as a
+ system property or environment variable. See the
+ <a href="./configuration.html#enableJndi">enableJndi</a> system property.
</li>
</ol>
<p>
diff --git a/src/site/xdoc/manual/lookups.xml b/src/site/xdoc/manual/lookups.xml
index cc6a66f..70024ff 100644
--- a/src/site/xdoc/manual/lookups.xml
+++ b/src/site/xdoc/manual/lookups.xml
@@ -266,6 +266,11 @@
</subsection>
<a name="JndiLookup"/>
<subsection name="Jndi Lookup">
+ <p>
+ As of Log4j 2.15.1 JNDI operations require that <code>log4j2.enableJndi=true</code> be set as a system
+ property or the corresponding environment variable for this lookup to function. See the
+ <a href="./configuration.html#enableJndi">enableJndi</a> system property.
+ </p>
<p>
The JndiLookup allows variables to be retrieved via JNDI. By default the key will be prefixed with
java:comp/env/, however if the key contains a ":" no prefix will be added.
--
2.27.0

BIN
apache-log4j-2.13.2-src.tar.gz → apache-log4j-2.17.0-src.tar.gz
View File

Binary file not shown.

48
log4j.spec
View File

@ -1,17 +1,14 @@
Name: log4j
Version: 2.13.2
Release: 3
Version: 2.17.0
Release: 1
Summary: Java logging package
License: Apache-2.0
URL: http://logging.apache.org/%{name}
Source0: http://archive.apache.org/dist/logging/%{name}/%{version}/apache-%{name}-%{version}-src.tar.gz
Patch1: logging-log4j-Remove-unsupported-EventDataConverter.patch
Patch2: CVE-2021-44228-1.patch
Patch3: CVE-2021-44228-2.patch
Patch4: CVE-2021-44228-3.patch
Patch5: CVE-2021-44228-4.patch
Patch6: CVE-2021-45046.patch
BuildRequires: fdupes maven-local mvn(com.fasterxml.jackson.core:jackson-core)
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations)
BuildRequires: mvn(jakarta.servlet:jakarta.servlet-api)
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-databind) mvn(com.lmax:disruptor)
BuildRequires: mvn(com.sun.mail:javax.mail) mvn(org.apache.commons:commons-compress)
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin)
@ -25,7 +22,7 @@ BuildRequires: mvn(com.datastax.cassandra:cassandra-driver-core)
BuildRequires: mvn(com.fasterxml.jackson.dataformat:jackson-dataformat-xml)
BuildRequires: mvn(com.fasterxml.jackson.dataformat:jackson-dataformat-yaml)
BuildRequires: mvn(com.fasterxml.woodstox:woodstox-core) mvn(commons-logging:commons-logging)
BuildRequires: mvn(javax.servlet.jsp:jsp-api) mvn(javax.servlet:javax.servlet-api)
BuildRequires: mvn(javax.servlet.jsp:jsp-api)
BuildRequires: mvn(org.apache.commons:commons-csv) mvn(org.apache.tomcat:tomcat-catalina)
BuildRequires: mvn(org.eclipse.jetty:jetty-util)
BuildRequires: mvn(org.eclipse.persistence:javax.persistence)
@ -73,11 +70,6 @@ Summary: Apache Log4j BOM
%description bom
Apache Log4j 2 Bill of Material
%package nosql
Summary: Apache Log4j NoSql
%description nosql
Use NoSQL databases such as MongoDB and CouchDB to append log messages.
%package help
Summary: API documentation for %{name}
Obsoletes: %{name}-manual < %{version}
@ -113,21 +105,40 @@ rm -r log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/kafka
%pom_disable_module %{name}-liquibase
%pom_disable_module %{name}-slf4j18-impl
%pom_disable_module %{name}-jdbc-dbcp2
%pom_disable_module %{name}-mongodb2
%pom_disable_module %{name}-mongodb3
%pom_disable_module %{name}-mongodb4
%pom_remove_dep :jconsole %{name}-jmx-gui
%pom_add_dep sun.jdk:jconsole %{name}-jmx-gui
%pom_change_dep -r org.osgi:org.osgi.core org.osgi:osgi.core
%pom_remove_plugin :apache-rat-plugin %{name}-bom
%pom_remove_plugin :maven-failsafe-plugin
%pom_remove_plugin -r :maven-failsafe-plugin
%pom_disable_module %{name}-iostreams
%pom_disable_module %{name}-jul
%pom_disable_module %{name}-core-its
%pom_disable_module %{name}-jpa
%pom_disable_module %{name}-couchdb
%pom_disable_module %{name}-cassandra
%pom_disable_module %{name}-appserver
%pom_disable_module %{name}-spring-boot
%pom_disable_module %{name}-spring-cloud-config
%pom_disable_module %{name}-kubernetes
%pom_disable_module %{name}-jpl
%pom_remove_dep -r :jackson-dataformat-yaml
%pom_remove_dep -r :jackson-dataformat-xml
%pom_remove_dep -r :woodstox-core
%pom_remove_dep -r :javax.persistence
%pom_remove_dep -r :jboss-jms-api_1.1_spec
%pom_remove_dep -r :jeromq
%pom_remove_dep -r :commons-csv
rm -r log4j-core/src/main/java/org/apache/logging/log4j/core/{jackson,config/yaml,parser}
rm -r log4j-core/src/main/java/org/apache/logging/log4j/core/appender/{db,mom,nosql}
rm log4j-core/src/main/java/org/apache/logging/log4j/core/layout/*{Csv,Jackson,Xml,Yaml,Json,Gelf}*.java
rm log4j-1.2-api/src/main/java/org/apache/log4j/builders/layout/*Xml*.java
rm log4j-api/src/main/java/org/apache/logging/log4j/util/Activator.java
rm -r log4j-1.2-api/src/main/java/org/apache/log4j/or/jms
%{mvn_alias} :%{name}-1.2-api %{name}:%{name}
%{mvn_file} ':{%{name}-1.2-api}' %{name}/@1 %{name}
%{mvn_package} ':%{name}-slf4j-impl' slf4j
@ -147,7 +158,7 @@ rm -r log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/kafka
%install
%mvn_install
%fdupes -s %{buildroot}%{_javadocdir}
%jpackage_script org.apache.logging.log4j.jmx.gui.ClientGUI '' '' %{name}/%{name}-jmx-gui:%{name}/%{name}-core %{name}-jmx false
%jpackage_script org.apache.logging.log4j.jmx.gui.ClientGui '' '' %{name}/%{name}-jmx-gui:%{name}/%{name}-core %{name}-jmx false
%files -f .mfiles
%doc LICENSE.txt NOTICE.txt
@ -163,8 +174,6 @@ rm -r log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/kafka
%files bom -f .mfiles-bom
%files nosql -f .mfiles-nosql
%files jmx-gui -f .mfiles-jmx-gui
%{_bindir}/%{name}-jmx
@ -173,6 +182,9 @@ rm -r log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/kafka
%doc NOTICE.txt
%changelog
* Fri Dec 24 2021 wangkai <wangkai385@huawei.com> - 2.17.0-1
- Upgrade to 2.17.0 for fix CVE-2021-45105
* Thu Dec 16 2021 yaoxin <yaoxin30@huawei.com> - 2.13.2-3
- Fix CVE-2021-45046