The Logging Services Security Team takes security seriously. This allows our users to place their trust in Log4j for protecting their mission-critical data. In this page we will help you find guidance on security-related issues and access to known vulnerabilities.
If you need help on building or configuring Logging Services projects or other help on following the instructions to mitigate the known vulnerabilities listed here, please use our user support channels.
|
Tip
|
If you need to apply a source code patch, use the building instructions for the project version that you are using.
These instructions can be found in |
If you have encountered an unlisted security vulnerability or other unexpected behaviour that has a security impact, or if the descriptions here are incomplete, please report them privately to the Logging Services Security Team.
|
Important
|
We urge you to carefully read the threat model detailed in following sections before submitting a report. It guides users on certain safety instructions while using Logging Services software and elaborates on what counts as an unexpected behaviour that has a security impact. |
The Logging Services Security Team follows the ASF Project Security guide for handling security vulnerabilities.
Reported security vulnerabilities are subject to voting (by means of lazy approval, preferably) in the private security mailing list before creating a CVE and populating its associated content. This procedure involves only the creation of CVEs and blocks neither (vulnerability) fixes, nor releases.