Rat (Release Audit Tool) results

The following document contains the results of Rat (Release Audit Tool).

*****************************************************
Summary
-------
Generated at: 2021-12-28T10:26:33-07:00

Notes: 2
Binaries: 173
Archives: 2
Standards: 83

Apache Licensed: 81
Generated Documents: 0

JavaDocs are generated, thus a license header is optional.
Generated files do not require license headers.

2 Unknown Licenses

*****************************************************

Files with unapproved licenses:

  docs/2.17.0-interpolation.md
  docs/cve-map.md

*****************************************************

Archives:

 + .mvn/wrapper/maven-wrapper.jar
 
 + src/site/resources/glyphicons-halflings-2-1.zip
 
*****************************************************
  Files with Apache License headers will be marked AL
  Binary files (which do not require any license headers) will be marked B
  Compressed archives will be marked A
  Notices, licenses etc. will be marked N
  AL    CODE_OF_CONDUCT.md
  AL    toolchains-jenkins-win.xml
  AL    findbugs-exclude-filter.xml
  AL    doap_log4j2.rdf
  AL    mvnw.cmd
  AL    toolchains-sample-mac.xml
  AL    jenkins-toolchains-win.xml
  AL    Dockerfile
  AL    log4j-distribution/pom.xml
  AL    log4j-distribution/src/assembly/src.xml
  AL    log4j-distribution/src/assembly/bin.xml
  AL    workflows/maven-toolchains.xml
  AL    toolchains-sample-win.xml
  AL    pom.xml
  AL    checkstyle-import-control.xml
 !????? docs/2.17.0-interpolation.md
 !????? docs/cve-map.md
  AL    checkstyle-suppressions.xml
  N     NOTICE.txt
  AL    .dockerignore
  AL    .mvn/wrapper/MavenWrapperDownloader.java
  AL    .mvn/wrapper/maven-wrapper.properties
  A     .mvn/wrapper/maven-wrapper.jar
  AL    CONTRIBUTING.md
  AL    .github/workflows/maven-toolchains.xml
  AL    toolchains-docker.xml
  AL    checkstyle.xml
  N     LICENSE.txt
  AL    toolchains-sample-linux.xml
  AL    mvnw
  AL    toolchains-jenkins-ubuntu.xml
  AL    checkstyle-header.txt
  AL    jenkins-toolchains.xml
  AL    BUILDING.md
  AL    src/changes/announcement.vm
  AL    src/changes/changes.xml
  AL    src/assembly/site.xml
  AL    src/site/markdown/index.md.vm
  AL    src/site/markdown/articles.md
  AL    src/site/markdown/changelog.md
  AL    src/site/markdown/download.md.vm
  AL    src/site/markdown/maven-artifacts.md.vm
  AL    src/site/markdown/support.md
  AL    src/site/markdown/manual/migration.md
  AL    src/site/markdown/manual/cloud.md
  AL    src/site/markdown/manual/compatibility.md
  AL    src/site/markdown/javadoc.md
  AL    src/site/markdown/build.md
  AL    src/site/markdown/api-separation.md
  AL    src/site/markdown/faq.md.vm
  AL    src/site/markdown/security.md
  B     src/site/resources/images/Log4j2AppenderThroughputComparison-windows.png
  B     src/site/resources/images/ResponseTimeVsServiceTimeAsyncLoggers.png
  B     src/site/resources/images/ResponseTimeAsyncLogging1Thread@128k.png
  B     src/site/resources/images/jmx-standalone-statuslogger.png
  B     src/site/resources/images/LocationPerf.png
  B     src/site/resources/images/SynchronousFileResponseTime2T32k-labeled.png
  B     src/site/resources/images/async-throughput-comparison.png
  B     src/site/resources/images/log4j-2.5-FlightRecording-thumbnail40pct.png
  B     src/site/resources/images/Log4j2AppenderThroughputComparison-linux.png
  B     src/site/resources/images/ResponseTimeSyncClassicVsGcFree.png
  B     src/site/resources/images/MarkerFilterCostComparison.png
  B     src/site/resources/images/ThreadContextFilterCostComparison.png
  B     src/site/resources/images/DockerFluentd.png
  B     src/site/resources/images/whichjar-2.1.png
  B     src/site/resources/images/LoggerAggregator.png
  B     src/site/resources/images/DockerStdout.png
  B     src/site/resources/images/log4j-2.5-FlightRecording.png
  B     src/site/resources/images/YourKitLogo.png
  B     src/site/resources/images/ls-logo.jpg
  B     src/site/resources/images/async-latency-histogram-64-threads.png
  B     src/site/resources/images/SyncThroughputLoggerComparisonLinux.png
  B     src/site/resources/images/async-average-latency.png
  B     src/site/resources/images/maven-feather.png
  B     src/site/resources/images/log4j-2.6-FlightRecording.png
  B     src/site/resources/images/whichjar.xlsx
  B     src/site/resources/images/jmx-jconsole-mbeans.png
  B     src/site/resources/images/jmx-standalone-editconfig.png
  B     src/site/resources/images/whichjar-log4j-api.png
  B     src/site/resources/images/whichjar-log4j-1.2-api.png
  B     src/site/resources/images/IntelliJ-IDEA-logo.png
  B     src/site/resources/images/whichjar-slf4j-2.1.png
  B     src/site/resources/images/garbage-free2.6-SyncThroughputLinux.png
  B     src/site/resources/images/expanded.gif
  B     src/site/resources/images/jmx-jconsole-editconfig.png
  B     src/site/resources/images/DockerLogFile.png
  B     src/site/resources/images/logo.jpg
  B     src/site/resources/images/logo.png
  B     src/site/resources/images/ResponseTimeAsyncLogging4Threads@16kEach.png
  B     src/site/resources/images/jmx-jconsole-statuslogger.png
  B     src/site/resources/images/async-vs-sync-throughput.png
  B     src/site/resources/images/ResponseTimeAsyncLogging16Threads@8kEach.png
  B     src/site/resources/images/whichjar-slf4j-2.x.png
  B     src/site/resources/images/whichjar.png
  B     src/site/resources/images/DockerTCP.png
  B     src/site/resources/images/ResponseTimeAsyncLogging16Threads@8kEachLog4j2Only-labeled.png
  B     src/site/resources/images/async-max-latency-99.99pct.png
  B     src/site/resources/images/ResponseTimeAsyncClassicVsGcFree-label.png
  B     src/site/resources/images/whichjar-slf4j.png
  B     src/site/resources/images/DockerFluentdAggregator.png
  B     src/site/resources/images/log4j-2.6-FlightRecording-thumbnail40pct.png
  B     src/site/resources/images/Log4jClasses.jpg
  B     src/site/resources/images/AsyncWithLocationThrpt1T.png
  B     src/site/resources/images/AsyncWithLocationThrpt1T-labeled.png
  B     src/site/resources/images/ParamMsgThrpt1-4T.png
  B     src/site/resources/images/whichjar-2.x.png
  B     src/site/resources/images/collapsed.gif
  A     src/site/resources/glyphicons-halflings-2-1.zip
  AL    src/site/resources/pdf-config.xml
  B     src/site/resources/img/glyphicons/info.png
  B     src/site/resources/img/glyphicons/layers.png
  B     src/site/resources/img/glyphicons/book.png
  B     src/site/resources/img/glyphicons/link.png
  B     src/site/resources/img/glyphicons/tag.png
  B     src/site/resources/img/glyphicons/home.png
  B     src/site/resources/img/glyphicons/cog.png
  B     src/site/resources/img/glyphicons/pencil.png
  B     src/site/resources/img/glyphicons-halflings.png
  B     src/site/resources/img/glyphicons-halflings-white.png
  B     src/site/resources/logo/logo-electric-blue-2-2.8.2.png
  B     src/site/resources/logo/logo-chocolate-swirl-2.xcf
  B     src/site/resources/logo/logo-2.9.1.png
  B     src/site/resources/logo/logo-ice.xcf
  B     src/site/resources/logo/logo-qbert.xcf
  B     src/site/resources/logo/logo-red-cubes.png
  B     src/site/resources/logo/logo-sky.xcf
  B     src/site/resources/logo/logo-chocolate-swirl.xcf
  B     src/site/resources/logo/logo-3d-green-bg.png
  B     src/site/resources/logo/logo-stone.xcf
  B     src/site/resources/logo/logo-lightning.png
  B     src/site/resources/logo/logo-leather.png
  B     src/site/resources/logo/logo-leather-2.xcf
  B     src/site/resources/logo/logo-craters-2.png
  B     src/site/resources/logo/logo-rocks.png
  B     src/site/resources/logo/logo-rain.xcf
  B     src/site/resources/logo/logo-lightning-2.6.1.xcf
  B     src/site/resources/logo/logo-java-2-2.6.2.xcf
  B     src/site/resources/logo/logo-blue-web.png
  B     src/site/resources/logo/logo-big-blue.png
  B     src/site/resources/logo/logo-pool-bottom-bg.xcf
  B     src/site/resources/logo/logo-pool-bottom.xcf
  B     src/site/resources/logo/logo-walnut.png
  B     src/site/resources/logo/logo-wood.png
  B     src/site/resources/logo/logo-starfield.png
  B     src/site/resources/logo/logo-marble-1.xcf
  B     src/site/resources/logo/logo-paper-2.png
  B     src/site/resources/logo/logo-tree-bark.xcf
  B     src/site/resources/logo/logo-granite.png
  B     src/site/resources/logo/logo-pastel-stuff-2.png
  B     src/site/resources/logo/logo-big-blue-cup-2.10.xcf
  B     src/site/resources/logo/logo-electric-blue.xcf
  B     src/site/resources/logo/logo-blue-web-2.11.0.png
  B     src/site/resources/logo/logo-paper-1.png
  B     src/site/resources/logo/logo-pastel-stuff.xcf
  B     src/site/resources/logo/logo-pastel-stuff-3.png
  B     src/site/resources/logo/logo-wood-2.png
  B     src/site/resources/logo/logo-big-blue-cup-2.9.png
  B     src/site/resources/logo/logo-java-3.xcf
  B     src/site/resources/logo/logo-pine.xcf
  B     src/site/resources/logo/logo-granite-2.png
  B     src/site/resources/logo/logo-pastel-stuff-2.8.1.png
  B     src/site/resources/logo/logo-java-2.xcf
  B     src/site/resources/logo/logo-stone-2.8.png
  B     src/site/resources/logo/logo-parque-1.png
  B     src/site/resources/logo/logo-blue-web-r2.6.xcf
  B     src/site/resources/logo/logo-wood-1.png
  B     src/site/resources/logo/logo-parque-3.png
  B     src/site/resources/logo/logo-3d-green-bg-2.xcf
  B     src/site/resources/logo/logo-craters.png
  B     src/site/resources/logo/logo-java-1.xcf
  B     src/site/resources/logo/logo-parque-2.png
  B     src/site/resources/logo/logo-3d-green-bg-2.png
  B     src/site/resources/logo/logo-craters.xcf
  B     src/site/resources/logo/logo-pool-bottom-2.7.png
  B     src/site/resources/logo/logo-wood-1.xcf
  B     src/site/resources/logo/logo-parque-3.xcf
  B     src/site/resources/logo/logo-parque-2.xcf
  B     src/site/resources/logo/logo-java-1.png
  B     src/site/resources/logo/logo-granite-2.xcf
  B     src/site/resources/logo/logo-java-3.png
  B     src/site/resources/logo/logo-pine.png
  B     src/site/resources/logo/logo-wood-2.xcf
  B     src/site/resources/logo/logo-big-blue-cup-2.9.xcf
  B     src/site/resources/logo/logo-parque-1.xcf
  B     src/site/resources/logo/logo-blue-web-r2.6.png
  B     src/site/resources/logo/logo-java-2.png
  B     src/site/resources/logo/logo-stone-2.8.xcf
  B     src/site/resources/logo/logo.jpg
  B     src/site/resources/logo/logo-blue-web-2.11.0.xcf
  B     src/site/resources/logo/logo-big-blue-cup.xcf
  B     src/site/resources/logo/logo-pastel-stuff-2.xcf
  B     src/site/resources/logo/logo-big-blue-cup-2.10.png
  B     src/site/resources/logo/logo-electric-blue.png
  B     src/site/resources/logo/logo-pastel-stuff-3.xcf
  B     src/site/resources/logo/logo-paper-1.xcf
  B     src/site/resources/logo/logo-pastel-stuff.png
  B     src/site/resources/logo/logo-starfield.xcf
  B     src/site/resources/logo/logo-marble-1.png
  B     src/site/resources/logo/logo-wood.xcf
  B     src/site/resources/logo/logo-walnut.xcf
  B     src/site/resources/logo/logo-granite.xcf
  B     src/site/resources/logo/logo-electric-blue-2.xcf
  B     src/site/resources/logo/logo-tree-bark.png
  B     src/site/resources/logo/logo-paper-2.xcf
  B     src/site/resources/logo/logo-pool-bottom-bg.png
  B     src/site/resources/logo/logo-big-blue.xcf
  B     src/site/resources/logo/logo-pool-bottom.png
  B     src/site/resources/logo/logo-lightning-2.6.1.png
  B     src/site/resources/logo/logo-java-2-2.6.2.png
  B     src/site/resources/logo/logo-rocks.xcf
  B     src/site/resources/logo/logo-rain.png
  B     src/site/resources/logo/logo-blue-web.xcf
  B     src/site/resources/logo/logo-lightning.xcf
  B     src/site/resources/logo/logo-leather.xcf
  B     src/site/resources/logo/logo-leather-2.png
  B     src/site/resources/logo/logo-stone.png
  B     src/site/resources/logo/logo-chocolate-swirl.png
  B     src/site/resources/logo/logo-3d-green-bg.xcf
  B     src/site/resources/logo/logo-craters-2.xcf
  B     src/site/resources/logo/logo-electric-blue-2-2.8.2.xcf
  B     src/site/resources/logo/logo-red-cubes.xcf
  B     src/site/resources/logo/logo-sky.png
  B     src/site/resources/logo/logo-qbert.png
  B     src/site/resources/logo/logo-chocolate-swirl-2.png
  B     src/site/resources/logo/logo-2.9.1.xcf
  B     src/site/resources/logo/logo-ice.png
  AL    src/site/asciidoc/manual/json-template-layout.adoc.vm
  AL    src/site/xdoc/guidelines.xml
  AL    src/site/xdoc/runtime-dependencies.xml
  AL    src/site/xdoc/manual/jmx.xml.vm
  AL    src/site/xdoc/manual/filters.xml
  AL    src/site/xdoc/manual/index.xml
  AL    src/site/xdoc/manual/configuration.xml.vm
  AL    src/site/xdoc/manual/markers.xml
  AL    src/site/xdoc/manual/scala-api.xml
  AL    src/site/xdoc/manual/async.xml
  AL    src/site/xdoc/manual/layouts.xml.vm
  AL    src/site/xdoc/manual/garbagefree.xml
  AL    src/site/xdoc/manual/plugins.xml
  AL    src/site/xdoc/manual/customconfig.xml
  AL    src/site/xdoc/manual/webapp.xml
  AL    src/site/xdoc/manual/flowtracing.xml
  AL    src/site/xdoc/manual/extending.xml
  AL    src/site/xdoc/manual/thread-context.xml
  AL    src/site/xdoc/manual/usage.xml
  AL    src/site/xdoc/manual/logsep.xml
  AL    src/site/xdoc/manual/logbuilder.xml
  AL    src/site/xdoc/manual/api.xml
  AL    src/site/xdoc/manual/appenders.xml
  AL    src/site/xdoc/manual/lookups.xml
  AL    src/site/xdoc/manual/messages.xml
  AL    src/site/xdoc/manual/eventlogging.xml
  AL    src/site/xdoc/manual/customloglevels.xml.vm
  AL    src/site/xdoc/manual/architecture.xml
  AL    src/site/xdoc/performance.xml
  AL    src/site/xdoc/thanks.xml
  AL    src/site/xdoc/javastyle.xml
  AL    src/site/pdf.xml
  AL    src/site/custom/project-info-report.properties
  AL    src/site/site.xml
 
*****************************************************

 Printing headers for text files without a valid license header...
 
=====================================================
== File: docs/2.17.0-interpolation.md
=====================================================
I'd like to go into detail on some of the changes in 2.17.0, why they're so important, and how they relate to both [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046) and [CVE-2021-45105](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105).

The substitution of untrusted log data allowed access to code that was never meant to be exposed. Lookups should be triggered only by configuration and the logging framework (including custom layout/appender/etc plugins). Not by user-provided inputs.

## 1. PatternLayout rendered message substitution

Substitution within the contents of a rendered log message provided the largest opportunity for untrusted inputs to be evaluated by the string replacement system. This was [removed (by default) in 2.15.0](https://github.com/apache/logging-log4j2/commit/001aaada7dab82c3c09cde5f8e14245dc9d8b454), and [removed entirely in 2.16.0](https://github.com/apache/logging-log4j2/commit/27972043b76c9645476f561c5adc483dec6d3f5d) after public disclosure.

## 2. Recursive Substitution Within Lookups

Despite message replacements being removed in 2.15.0, other pathways still exist (based on the configuration) which can evaluate untrusted user-provided values. For example, a `PatternLayout` using the pattern `%p %t %c $${ctx:userAgent} %m%n`[1][2] would re-evaluate `config.getStrSubstitutor().replace(event, " ${ctx:userAgent} ")` for each log-event due to the [LiteralPatternConverter](https://github.com/apache/logging-log4j2/blob/cffe58f6a433ea1ab60ceb129d4c9b3377acda1d/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/LiteralPatternConverter.java#L62-L65). The substitutor would evaluate recursively, and invoke unexpected lookups. At worst triggering something like jndi or an exception preventing logging, but even resulting in logging that doesn't match the literal data input is a very serious bug. For example if `MDC.put("userAgent", "${lower:FOO}")` then `${ctx:userAgent}` would evaluate to literal `foo` instead of literal `${lower:FOO}`

This is not isolated to the PatternLayout, rather anywhere lookups in which the result contained user-provided data. e.g. `${ctx:USER_PROVIDED}`, `${event:Message}`. For example `<Routes pattern="$${ctx:userAgent}">` would be impacted as well.

In 2.17.0 we resolved this class of issues with a simple idea:
Recursive evaluation is allowed while parsing the configuration (no user-input/LogEvent data is present, and configuration breaks are to be avoided) however when log-events themselves are being evaluated we _never_ recursively evaluate substitutions. [That's it](https://github.com/apache/logging-log4j2/commit/806023265f8c905b2dd1d81fd2458f64b2ea0b5e). That means when `${lower:${event:Message}}` is evaluated for message `Hello, World!` the result is `hello, world!`, and when evaluated for `${java:version}` the result is the string literal `${java:version}` which itself is not evaluated.

-----

1. Note that I used `$${ctx:userAgent}` so the value itself is not evaluated, however even `${ctx:userAgent}` may be vulnerable because it's not likely that a thread-context value is set when the configuration itself is evaluated, in which case no replacement occurs and the value is equivalent to the `$${ctx:userAgent}` example.
2. Please use `%X{userAgent}` in the PatternLayout instead of `${ctx:userAgent}`. It's safer, more obvious, and more efficient. LogEventPatternConverters are pluggable, don't rely on stringly typed data, and are created when the pattern is parsed, not re-scanned on a per-LogEvent basis.

## 3. Impact Upon Configuration

There are certainly cases in which this change impacts existing configurations, however I believe that the safety is well worth the trade-off.
For example, [this test configuration](https://github.com/apache/logging-log4j2/commit/806023265f8c905b2dd1d81fd2458f64b2ea0b5e#diff-f13a31d919bf2e7169ca936948aeef1cda6089f295be684d71f2bd5709248475) had to be updated because routes are created based on a log-event, thus we cannot allow recursive evaluation. An argument can be made that the inputs must already be sanitized to avoid path traversal, however the filename isn't the only place these lookups can be evaluated, and the type of sanitization differs dramatically between validating against string replacement data, and validating against unexpected path-based attacks.

In a perfect world I'd love to swap the types used for substitution to avoid stringly matching anything, using the type system to differentiate between trusted lookups and user-input data, however in such a large, widely-used framework, that's not something we can do, certainly not quickly or easily.

### Configuration Impact: Examples

**Complex Lookups :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:**

This example uses complex lookups based on the [ThreadContext](https://logging.apache.org/log4j/2.x/manual/thread-context.html) (aka MDC), however it continues to work as expected **and** prevents user-provided data from `key1` or `key2` from being substituted.

```xml
<--
Note that lookups are all escaped to prevent them from being evaluated
immediately when the Pattern is constructed
-->
<PatternLayout pattern="%d %p %t %c $${lower:$${ctx:key1:-$${ctx:key2}}} %m%n"/>
```


**Pattern Reuse Via Lookups :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:**

This is not impacted either:

```xml
<Properties>

=====================================================
== File: docs/cve-map.md
=====================================================
This is a map of CVEs and Log4j *2* Versions.

| CVE            | Affects   | Fixed In | Java Required |
| -------------- | --------- | --------------- | --- |
| CVE-2021-45105 | 2.0-beta9 to 2.16.0, excluding 2.12.4         | 2.17.0<br>2.12.4<br>2.3.2 | Java 8<br>Java 7<br>Java 6 |
| CVE-2021-45046 | 2.0-beta9 to 2.15.0, excluding 2.12.2         | 2.16.0<br>2.12.2<br>2.3.2 | Java 8<br>Java 7<br>Java 6 |
| CVE-2021-44228 | 2.0-beta9 to 2.16.0, excluding 2.12.4 & 2.3.2 | 2.17.0<br>2.12.4<br>2.3.2 | Java 8<br>Java 7<br>Java 6 |
| CVE-2020-9488  | 2.0-alpha1 to 2.13.1                          | 2.13.2<br>2.12.4          | Java 8<br>Java 7 |
| CVE-2017-5645  | 2.0-alpha1 to 2.8.1                           | 2.8.2                     | Java 7 |

This is a map of CVEs and Log4j *1* End-of-Life Versions.

| CVE            | Affects   | Fixed In | Java Required |
| -------------- | --------- | --------------- | --- |
| CVE-2019-17571 | 1.2 to 1.2.17         | Not fixed | Not fixed |