Hi folks,
Ok i'm update log4j version 2.15 to 2.16
https://issues.apache.org/jira/browse/IGNITE-16127
On 15.12.2021 09:54, Pavel Tupitsyn wrote:
Igniters,
Looks like we need to update to 2.16, there is an additional attack vector
[1]
[1]
https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/
On Mon, Dec 13, 2021 at 4:06 PM Maxim Muzafarov <mmu...@apache.org> wrote:
Folks,
Should we describe all the WA available for the issue [1]? There is
already a lot of information about CVE, and nevertheless, it will not
be superfluous.
[1] https://issues.apache.org/jira/browse/IGNITE-16101
On Mon, 13 Dec 2021 at 15:37, Ivan Daschinsky <ivanda...@gmail.com> wrote:
Unfortunately, we need patch our Log4j2 adapter in order to work with
log4j-2.15
So there is no choice other than to release 2.11.1
пн, 13 дек. 2021 г. в 15:21, Anton Vinogradov <a...@apache.org>:
Folks,
My 200 rubles here,
I want to include it to the 2.12 scope.
Why not 2.11.1 as well?
We should provide a fixed version for current customers asap.
2.12 require migration, while 2.11.1 can be applied as-is.
On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington <
stephen.darling...@gridgain.com> wrote:
Another workaround appears to be using the
-Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions greater
than
6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack
vector,
at
least in theory, because the JNDI can't load remote code using LDAP.”
(
https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
)
On 12 Dec 2021, at 10:56, Dmitriy Pavlov <dpav...@apache.org>
wrote:
Hi Igniters,
Preliminary: change of the log4j version does not affect any tests
(Alexander Nikolaev, correct me if I'm wrong).
If you're using embedded Ignite, it's perfectly possible to enforce
jog4j2
dependency to be 2.15.0 in your project final pom.xml or
build.gradle
or
any other build system properties.
https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems
to be
a blocker for 2.12. But for now, as a workaround, it's possible to
select
the latest version manually.
Sincerely,
Dmitriy Pavlov
сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev <namelc...@apache.org
:
Hello.
The issue to update dependency was created:
https://issues.apache.org/jira/browse/IGNITE-16101
I want to include it to the 2.12 scope.
сб, 11 дек. 2021 г., 09:19 Raymond Wilson <
raymond_wil...@trimble.com
:
All
This blew up today: CVE-2021-44228 (
https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
)
Will there be a risk assessment with respect to Ignite for this
CVE?
Thanks,
Raymond.
--
<http://www.trimble.com/>
Raymond Wilson
Trimble Distinguished Engineer, Civil Construction Software (CCS)
11 Birmingham Drive | Christchurch, New Zealand
raymond_wil...@trimble.com
<
https://worksos.trimble.com/?utm_source=Trimble&utm_medium=emailsign&utm_campaign=Launch
--
Sincerely yours, Ivan Daschinskiy
