search
HomeOperation and MaintenanceApacheApache Log4j 2.17.0 has been released! See what problem was solved?

Apache Log4j version 2.17.0 has been officially released, solving the third discovered security vulnerability, CVE-2021-45105.

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 do not prevent uncontrolled recursion of self-referential lookups. When the log configuration uses a non-default Pattern Layout and Context Lookup (for example, $${ctx:loginId}), an attacker who controls the thread context map (MDC) input data can craft malicious input data containing recursive lookups, causing a StackOverflowError. Thereby terminating the process. This is also called a DoS attack. [Recommended: Apache Usage Tutorial]

Starting from version 2.17.0 (for Java 8), only the search string in the configuration will be recursively expanded; in any other usage, Only top-level lookups are parsed, not any nested lookups.

In previous versions, this issue could be mitigated by ensuring that your logging configuration did the following:

  • In the logging configuration In the PatternLayout, replace Context Lookups such as ${ctx:loginId} or $${ctx:loginId} with the Thread Context Map pattern (%X, %mdc or %MDC).

  • Otherwise, remove references to Context Lookups such as ${ctx:loginId} or ${ctx:loginId} in the configuration; they originate from sources outside the application, such as HTTP headers or user input..

The specific updates of version 2.17.0 include:

  • Fixed string replacement recursion. Fix LOG4J2-3230

  • Restrict JNDI to java protocol only. By default, JNDI will remain disabled. Renamed JNDI enable properties from "log4j2.enableJndi" to "log4j2.enableJndiLookup", "log4j2.enableJndiJms", and "log4j2.enableJndiContextSelector". Fix LOG4J2-3242

  • JNDI is limited to java protocol. By default, JNDI will remain disabled. The enable property has been renamed to "log4j2.enableJndiJava". Fix LOG4J2-3242

  • Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as this will cause problems with the Maven enforcer plugin. Fix LOG4J2-3241

  • PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters. Fix LOG4J2-3247

  • #Syslog Appender's Log4j 1.2 bridge defaults to port 512 instead of 514. Fix LOG4J2-3249

  • Log4j 1.2 bridge API hardcodes Syslog protocol to TCP. Fix LOG4J2-3237

The above is the detailed content of Apache Log4j 2.17.0 has been released! See what problem was solved?. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:OSC开源社区. If there is any infringement, please contact admin@php.cn delete
What Apache is Known For: Key Features and AchievementsWhat Apache is Known For: Key Features and AchievementsApr 18, 2025 am 12:03 AM

ApacheHTTPServer has become a leader in the field of web servers for its modular design, high scalability, security and performance optimization. 1. Modular design supports various protocols and functions by loading different modules. 2. Highly scalable to adapt to the needs of small to large applications. 3. Security protects the website through mod_security and multiple authentication mechanisms. 4. Performance optimization improves loading speed through data compression and caching.

The Enduring Relevance of Apache: Examining Its Current StatusThe Enduring Relevance of Apache: Examining Its Current StatusApr 17, 2025 am 12:06 AM

ApacheHTTPServer remains important in modern web environments because of its stability, scalability and rich ecosystem. 1) Stability and reliability make it suitable for high availability environments. 2) A wide ecosystem provides rich modules and extensions. 3) Easy to configure and manage, and can be quickly started even for beginners.

Apache's Popularity: Reasons for Its SuccessApache's Popularity: Reasons for Its SuccessApr 16, 2025 am 12:05 AM

The reasons for Apache's success include: 1) strong open source community support, 2) flexibility and scalability, 3) stability and reliability, and 4) a wide range of application scenarios. Through community technical support and sharing, Apache provides flexible modular design and configuration options, ensuring its adaptability and stability under a variety of needs, and is widely used in different scenarios from personal blogs to large corporate websites.

Apache's Legacy: What Made It Famous?Apache's Legacy: What Made It Famous?Apr 15, 2025 am 12:19 AM

Apachebecamefamousduetoitsopen-sourcenature,modulardesign,andstrongcommunitysupport.1)Itsopen-sourcemodelandpermissiveApacheLicenseencouragedwidespreadadoption.2)Themodulararchitectureallowedforextensivecustomizationandadaptability.3)Avibrantcommunit

The Advantages of Apache: Performance and FlexibilityThe Advantages of Apache: Performance and FlexibilityApr 14, 2025 am 12:08 AM

Apache's performance and flexibility make it stand out in a web server. 1) Performance advantages are reflected in efficient processing and scalability, which are implemented through multi-process and multi-threaded models. 2) Flexibility stems from the flexibility of modular design and configuration, allowing modules to be loaded and server behavior adjusted according to requirements.

What to do if the apache80 port is occupiedWhat to do if the apache80 port is occupiedApr 13, 2025 pm 01:24 PM

When the Apache 80 port is occupied, the solution is as follows: find out the process that occupies the port and close it. Check the firewall settings to make sure Apache is not blocked. If the above method does not work, please reconfigure Apache to use a different port. Restart the Apache service.

How to solve the problem that apache cannot be startedHow to solve the problem that apache cannot be startedApr 13, 2025 pm 01:21 PM

Apache cannot start because the following reasons may be: Configuration file syntax error. Conflict with other application ports. Permissions issue. Out of memory. Process deadlock. Daemon failure. SELinux permissions issues. Firewall problem. Software conflict.

How to set the cgi directory in apacheHow to set the cgi directory in apacheApr 13, 2025 pm 01:18 PM

To set up a CGI directory in Apache, you need to perform the following steps: Create a CGI directory such as "cgi-bin", and grant Apache write permissions. Add the "ScriptAlias" directive block in the Apache configuration file to map the CGI directory to the "/cgi-bin" URL. Restart Apache.

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
1 months agoBy尊渡假赌尊渡假赌尊渡假赌
R.E.P.O. Best Graphic Settings
1 months agoBy尊渡假赌尊渡假赌尊渡假赌
Will R.E.P.O. Have Crossplay?
1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Safe Exam Browser

Safe Exam Browser

Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

SAP NetWeaver Server Adapter for Eclipse

SAP NetWeaver Server Adapter for Eclipse

Integrate Eclipse with SAP NetWeaver application server.

MinGW - Minimalist GNU for Windows

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

Atom editor mac version download

Atom editor mac version download

The most popular open source editor