Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3555

Upgrade log4j from 2.13.3 (or 2.11.1) to 2.16.0

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • 2.1.0, 2.2.0
    • None
    • Ranger
    • None
    • Important

    Description

      The current log4j version (2.11.1 for ranger 2.1 and 2.13.3 for ranger 2.2) in ranger has a critical security Vulnerabilities (10/10).

      CVE-2021-44228 (and upgraded to 45046) is a vulnerability classified under the highest severity mark, i.e. 10 out of 10. It allows an attacker to execute arbitrary code by injecting attacker-controlled data into a logged message.

       

      https://nvd.nist.gov/vuln/detail/CVE-2021-44228

      https://nvd.nist.gov/vuln/detail/CVE-2021-45046

       

      It's highly urgent to have a procedure to upgrade to the newly released version 2.16 that correct this vulnerability.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. RANGER-3547 Upgrade to use log4j 2.16.0+ version to ensure that we are using supported version of log4j

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Activity

            People

              Unassigned Unassigned
              alain.pellegrino@alithya.com alain pellegrino
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: