The POC seems to require the attacker be able to upload a file that overwrites the configuration, with hot reloading enabled. We do have hot reloading enabled but there's no inherent way to overwrite the config.
That said with logback currently at 1.2.3 (in trunk), perhaps we should consider an upgrade for safety. On Tue, Dec 14, 2021 at 8:50 AM Steinmaurer, Thomas <thomas.steinmau...@dynatrace.com.invalid> wrote: > > Any thoughts what the logback folks have been filed here? > https://jira.qos.ch/browse/LOGBACK-1591 > > Thanks! > > -----Original Message----- > From: Brandon Williams <dri...@gmail.com> > Sent: Sonntag, 12. Dezember 2021 18:56 > To: dev@cassandra.apache.org > Subject: Recent log4j vulnerability > > I replied to a user- post about this, but thought it was worth repeating it > here. > > In > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCASSANDRA-5883&data=04%7C01%7Cthomas.steinmaurer%40dynatrace.com%7C8016a1aeed8c4589cbe408d9bd9a0920%7C70ebe3a35b30435d9d677716d74ca190%7C1%7C0%7C637749291586596208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0klDN4WmFkt876OCsXL%2FX%2FUXa%2FrsxmwCKFgmnP4Lctw%3D&reserved=0 > you can see where Apache Cassandra never chose to use log4j2 (preferring > logback instead), and thus is not, and has never been, vulnerable to this RCE. > > Kind Regards, > Brandon > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > > This email may contain confidential information. If it appears this message > was sent to you by mistake, please let us know of the error. In this case, we > also ask that you do not further forward the content and delete it. Thank you > for your cooperation and understanding. Dynatrace Austria GmbH (registration > number FN 91482h) is a company registered in Linz whose registered office is > at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
