[
https://issues.apache.org/jira/browse/NUTCH-2915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458697#comment-17458697
]
ASF GitHub Bot commented on NUTCH-2915:
---------------------------------------
lewismc commented on pull request #713:
URL: https://github.com/apache/nutch/pull/713#issuecomment-992870039
Thanks for pointing that out.
A Log4j 1.x bug (https://bugzilla.redhat.com/show_bug.cgi?id=2031667) does
also exist albeit that it is not the same as the Zero Day vulnerability
(10/10) and requires explicit configuration to enable the JMSAppender. If
you set TopicBindingName or TopicConnectionFactoryBindingName to something
that JNDI can handle … 1.x is vulnerable, just attack vector is "safer" as
it depends on configuration.
There are other RCE exploits against 1.x. It’s end of life and a release
of master branch with the upgrade to 2.15+ would be a good idea.
I’m happy to perform the release unless you want to go ahead with it. Thanks
+1 go this patch
On Mon, Dec 13, 2021 at 12:01 Sebastian Nagel ***@***.***>
wrote:
> +1 shall we push a release?
>
> The released 1.18 still uses log4j 1.x and indexer-elastic ships only with
> log4j-api - if I'm not wrong only Nutch master is affected and no released
> version. But would be good to have a second look on the issue and also to
> prepare for a release in the near future.
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/nutch/pull/713#issuecomment-992836324>, or
> unsubscribe
>
<https://github.com/notifications/unsubscribe-auth/AAI4TF3LW3G3OYFZLL47SH3UQZGJFANCNFSM5J4WRBZA>
> .
> Triage notifications on the go with GitHub Mobile for iOS
>
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
> or Android
>
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
>
>
--
http://home.apache.org/~lewismc/
http://people.apache.org/keys/committer/lewismc
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@nutch.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Upgrade to log4j 2.15.0
> -----------------------
>
> Key: NUTCH-2915
> URL: https://issues.apache.org/jira/browse/NUTCH-2915
> Project: Nutch
> Issue Type: Bug
> Components: logging
> Affects Versions: 1.19
> Reporter: Sebastian Nagel
> Assignee: Sebastian Nagel
> Priority: Critical
> Fix For: 1.19
>
>
> See [Apache Log4j Security
> Vulnerabilities|https://logging.apache.org/log4j/2.x/security.html].
> Notes:
> - the released 1.18 is not directly affected because it uses log4j 1.x which
> is not affected by CVE-2021-44228. The upgrade from log4j 1.x to 2.14.1 was
> done recently by NUTCH-2885.
> - the plugin indexer-elastic includes a transitive dependency to
> log4j-api-2.11.1 which is not affected - only log4j-core is according to
> [comments by slf4j|http://www.slf4j.org/log4shell.html].
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
