[
https://issues.apache.org/jira/browse/RANGER-3555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj resolved RANGER-3555.
--------------------------------------
Resolution: Duplicate
CC: [~rmani]
> Upgrade log4j from 2.13.3 (or 2.11.1) to 2.16.0
> -----------------------------------------------
>
> Key: RANGER-3555
> URL: https://issues.apache.org/jira/browse/RANGER-3555
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 2.1.0, 2.2.0
> Reporter: alain pellegrino
> Priority: Major
>
> The current log4j version (2.11.1 for ranger 2.1 and 2.13.3 for ranger 2.2)
> in ranger has a critical security Vulnerabilities (10/10).
> CVE-2021-44228 (and upgraded to 45046) is a vulnerability classified under
> the highest severity mark, i.e. 10 out of 10. It allows an attacker to
> execute arbitrary code by injecting attacker-controlled data into a logged
> message.
>
> [https://nvd.nist.gov/vuln/detail/CVE-2021-44228]
> [https://nvd.nist.gov/vuln/detail/CVE-2021-45046]
>
> It's highly urgent to have a procedure to upgrade to the newly released
> version 2.16 that correct this vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
