[
https://issues.apache.org/jira/browse/HDDS-6143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siyao Meng updated HDDS-6143:
-----------------------------
Description:
Release notes:
https://github.com/apache/logging-log4j2/blob/rel/2.17.1/RELEASE-NOTES.md
Looks like another RCE
([CVE-2021-44832|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832])
in 2.17.0.
{code}
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix
releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE)
attack where an attacker with permission to modify the logging configuration
file can construct a malicious configuration using a JDBC Appender with a data
source referencing a JNDI URI which can execute remote code. This issue is
fixed by limiting JNDI data source names to the java protocol in Log4j2
versions 2.17.1, 2.12.4, and 2.3.2.
{code}
https://www.bleepingcomputer.com/news/security/log4j-2171-out-now-fixes-new-remote-code-execution-bug/
was:
Release notes:
https://github.com/apache/logging-log4j2/blob/rel/2.17.1/RELEASE-NOTES.md
Seems like another RCE (CVE-2021-44832) in 2.17.0 according to this article:
https://www.bleepingcomputer.com/news/security/log4j-2171-out-now-fixes-new-remote-code-execution-bug/
> Update log4j version to 2.17.1
> ------------------------------
>
> Key: HDDS-6143
> URL: https://issues.apache.org/jira/browse/HDDS-6143
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Siyao Meng
> Assignee: Siyao Meng
> Priority: Major
> Labels: pull-request-available
>
> Release notes:
> https://github.com/apache/logging-log4j2/blob/rel/2.17.1/RELEASE-NOTES.md
> Looks like another RCE
> ([CVE-2021-44832|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832])
> in 2.17.0.
> {code}
> Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix
> releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE)
> attack where an attacker with permission to modify the logging configuration
> file can construct a malicious configuration using a JDBC Appender with a
> data source referencing a JNDI URI which can execute remote code. This issue
> is fixed by limiting JNDI data source names to the java protocol in Log4j2
> versions 2.17.1, 2.12.4, and 2.3.2.
> {code}
> https://www.bleepingcomputer.com/news/security/log4j-2171-out-now-fixes-new-remote-code-execution-bug/
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
