https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Score: 3.7 (low)
On 15/12/2021 14:32, Andy Seaborne wrote:
On 14/12/2021 09:03, Andy Seaborne wrote:
There is a 2.16.0 release of log4j2.
Changes:
https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0
It removes the vulnerable functionality of message formatting and
defaults JNDI to disabled (for configuration files, not logging
messages).
It is not a second security update.
Note for the long term archive:
There is now
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
which is fixed by 2.16.0.
It affects non-default setups of log4j2
Andy
https://logging.apache.org/log4j/2.x/security.html
Andy
On 13/12/2021 17:39, Andy Seaborne wrote:
FYI:
Details of the log4j2 for 2.15.0 -- the vulnerability permanent fix
is the top of the list.
https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0
Andy
On 10/12/2021 15:17, Andy Seaborne wrote:
More info in the users@ message of the dependency security issue.
https://lists.apache.org/thread/nc3gz7yvokc9ktkzs8078jr5t04nfmdy
The log4j2 issue affects Fuseki and command line tools.
With any recent java, remote code execution is disabled by default.
We'll produce a 4.3.1 with an updated log4j2, and the ongoing
improvements for xloader.
XLoader test run:
1B triples , 40kTPS , 06h 54m 10s
The database is 81G and building needs an addition 11.6G for
workspace for a total of 92G (+ the data which was the first 1
billion triple of Wikidata truthy - 8.2 G nt.gz file).
Andy
