[
https://issues.apache.org/jira/browse/KARAF-7292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karthick updated KARAF-7292:
----------------------------
Description:
As reported in CVE-2021-44228 regarding log4j vulnerability we are planning to
stepup log4j to clean 2.1.50 or higher but we cannot do unless pax-logging is
in new version 2.0.11.
What is the tentative timeline in which new karaf version will be available
with this latest pax-logging version? This info will help us in communicating
to our customers.
was:The CVE-2021-26291 reports about maven version lesser than 3.8.1 is
vulnerable to XRI attacks where malicious attacker can imitate a repository.
Apache Karaf 4.3.2 includes pax-url-aether which packs Maven artifacts of
version 3.6.x. So the CVE impacts Karaf 4.3.2. But does the issue specified in
the CVE like maven pulling dependencies from remote directories really affect
Karaf during runtime? Is it possible that a PoC has been done to validate this
impact on Karaf?
> Karaf update needed for log4j stepup
> ------------------------------------
>
> Key: KARAF-7292
> URL: https://issues.apache.org/jira/browse/KARAF-7292
> Project: Karaf
> Issue Type: Question
> Components: karaf
> Affects Versions: 4.3.2
> Reporter: Karthick
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> As reported in CVE-2021-44228 regarding log4j vulnerability we are planning
> to stepup log4j to clean 2.1.50 or higher but we cannot do unless pax-logging
> is in new version 2.0.11.
>
> What is the tentative timeline in which new karaf version will be available
> with this latest pax-logging version? This info will help us in communicating
> to our customers.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
