[
https://issues.apache.org/jira/browse/BEAM-13434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457162#comment-17457162
]
Alexey Romanenko commented on BEAM-13434:
-----------------------------------------
I reduced a priority to P1 since it affects only the tests of some IOs.
> Bump up Apache log4j2 to 2.15.0 due to the vulnerability
> --------------------------------------------------------
>
> Key: BEAM-13434
> URL: https://issues.apache.org/jira/browse/BEAM-13434
> Project: Beam
> Issue Type: Improvement
> Components: sdk-java-core
> Affects Versions: 2.34.0
> Reporter: Yu Ishikawa
> Priority: P1
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> ## Overview
> 2.0 <= Apache log4j2 <= 2.14.1 has vulnerability.
>
> > In most cases, developers may write error messages caused by user input
> > into the log. Attackers can use this feature to construct special data
> > request packets through this vulnerability, and ultimately trigger remote
> > code execution.
>
> ## References
> *
> [https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html]
> *
> https://www.spigotmc.org/threads/spigot-security-releases-%E2%80%94-1-8-8%E2%80%931-18.537204/
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
