Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Duplicate
-
1.2.3, 2.3.0
-
None
-
None
Description
In order to remediate these bugs with Log4j, please update Storm 2.3.0 and 1.2.3
- Criticals
- Fixed in Log4j 2.16.0 (Java 8) and Log4j 2.12.2 (Java 7)
- CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
- Fixed in Log4j 2.15.0 (Java 8)
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
- Fixed in Log4j 2.16.0 (Java 8) and Log4j 2.12.2 (Java 7)
- Moderates
- Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)
- CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
- Fixed in Log4j 2.17.0 (Java 8), 2.12.3 (Java 7) and 2.3.1 (Java 6)
- CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
- Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)
Attachments
Issue Links
- Blocked
-
STORM-3810 CVE-2021-44228 Log4J vulnerability
- Closed