[BEAM-13434] Bump up Apache log4j2 to 2.16.0 due to the vulnerability - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Triage Needed
Priority: P1
Resolution: Fixed
Affects Version/s: 2.34.0
Fix Version/s: 2.35.0
Component/s: sdk-java-core
Labels:
None

Description

1. Overview

2.0 <= Apache log4j2 <= 2.14.1 has vulnerability.

> In most cases, developers may write error messages caused by user input into the log. Attackers can use this feature to construct special data request packets through this vulnerability, and ultimately trigger remote code execution.

[UPDATED]

The vulnerability is labeled to `CVE-2021-44228`.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

1. References

Attachments

Issue Links

links to

GitHub Pull Request #16191

GitHub Pull Request #16217

GitHub Pull Request #16218

GitHub Pull Request #16223

GitHub Pull Request #16224

GitHub Pull Request #16233

GitHub Pull Request #16237

GitHub Pull Request #16264

GitHub Pull Request #16265

GitHub Pull Request #16289

GitHub Pull Request #16296

GitHub Pull Request #16299

GitHub Pull Request #16302

GitHub Pull Request #16352

(9 links to)

Activity

People

Assignee:: Unassigned

Reporter:: Yu Ishikawa

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 10/Dec/21 04:42

Updated:: 13/Apr/23 11:07

Resolved:: 10/Dec/21 15:42

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

27h 10m