gianm commented on issue #12054:
URL: https://github.com/apache/druid/issues/12054#issuecomment-991350157
Yes, the second option is recommended because prior to 0.22.1, Druid used
log4j 2.8.2, which doesn't accept the `-Dlog4j.formatMsgNoLookups=true`
mitigation. But according to the log4j maintainers, it does accept the
`%m{nolookups}` mitigation.
@glasser typically for security issues we patch the latest version, and for
earlier versions we're more likely to recommend deploying mitigations. Even if
that does change we are definitely going to be prioritizing getting out the
0.22.1 release.
In your specific case, a couple of thoughts:
1. The issue https://issues.apache.org/jira/browse/LOG4J2-3198, and the
attached PR, makes it appear to me that the problem is PatternLayout-specific.
2. However, I wouldn't trust my own rookie analysis here! So in your
position, if I wasn't comfortable upgrading to 0.22.1 today, instead I'd
manually replace the 2.8.2 jars in my local install with the 2.15.0 jars. It
should work OK, since when we updated master to 2.15.0, we didn't need to
change any source code. It suggests the 2.15.0 jars should work as a drop in
replacement. Or, if you can build your own tarball, I'd do one of 0.21.1 with
the log4j version updated.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
