[HDDS-6143] Update log4j version to 2.17.1 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.3.0, 1.2.2
Component/s: build
Labels:
- pull-request-available

Target Version/s:

1.2.2

Description

Release notes: https://github.com/apache/logging-log4j2/blob/rel/2.17.1/RELEASE-NOTES.md

Looks like another RCE (CVE-2021-44832) in 2.17.0.

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

https://www.bleepingcomputer.com/news/security/log4j-2171-out-now-fixes-new-remote-code-execution-bug/

Attachments

Issue Links

is duplicated by

HDDS-6266 ozone public release 1.2.1 isn't using latest log4j

Resolved

links to

GitHub Pull Request #2952

Activity

People

Assignee:: Siyao Meng

Reporter:: Siyao Meng

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 28/Dec/21 20:49

Updated:: 03/Aug/22 09:13

Resolved:: 04/Jan/22 19:30