[
https://issues.apache.org/jira/browse/BEAM-13434?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anonymous updated BEAM-13434:
-----------------------------
Status: Triage Needed (was: Resolved)
> Bump up Apache log4j2 to 2.16.0 due to the vulnerability
> --------------------------------------------------------
>
> Key: BEAM-13434
> URL: https://issues.apache.org/jira/browse/BEAM-13434
> Project: Beam
> Issue Type: Improvement
> Components: sdk-java-core
> Affects Versions: 2.34.0
> Reporter: Yu Ishikawa
> Priority: P1
> Fix For: 2.35.0
>
> Time Spent: 27h 10m
> Remaining Estimate: 0h
>
> #
> ## Overview
> 2.0 <= Apache log4j2 <= 2.14.1 has vulnerability.
>
> > In most cases, developers may write error messages caused by user input
> > into the log. Attackers can use this feature to construct special data
> > request packets through this vulnerability, and ultimately trigger remote
> > code execution.
>
> [UPDATED]
> The vulnerability is labeled to `CVE-2021-44228`.
> * [https://nvd.nist.gov/vuln/detail/CVE-2021-44228]
>
> ## References
> *
> [https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html]
> *
> [https://www.spigotmc.org/threads/spigot-security-releases-%E2%80%94-1-8-8%E2%80%931-18.537204/]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
