alain pellegrino created RANGER-3555:
----------------------------------------
Summary: Upgrade log4j from 2.13.3 to 2.16.0
Key: RANGER-3555
URL: https://issues.apache.org/jira/browse/RANGER-3555
Project: Ranger
Issue Type: Bug
Components: Ranger
Affects Versions: 2.2.0, 2.1.0
Reporter: alain pellegrino
The current log4j version (2.11.1 for ranger 2.1 and 2.13.3 for ranger 2.2) in
ranger has a critical security Vulnerabilities (10/10).
CVE-2021-44228 (and upgraded to 45046) is a vulnerability classified under the
highest severity mark, i.e. 10 out of 10. It allows an attacker to execute
arbitrary code by injecting attacker-controlled data into a logged message.
[https://nvd.nist.gov/vuln/detail/CVE-2021-44228]
[https://nvd.nist.gov/vuln/detail/CVE-2021-45046]
It's highly urgent to have a procedure to upgrade to the newly released version
2.16 that correct this vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
