[
https://issues.apache.org/jira/browse/HDDS-6143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Doroszlai resolved HDDS-6143.
------------------------------------
Fix Version/s: 1.2.2
Resolution: Fixed
> Update log4j version to 2.17.1
> ------------------------------
>
> Key: HDDS-6143
> URL: https://issues.apache.org/jira/browse/HDDS-6143
> Project: Apache Ozone
> Issue Type: Bug
> Components: build
> Reporter: Siyao Meng
> Assignee: Siyao Meng
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.3.0, 1.2.2
>
>
> Release notes:
> https://github.com/apache/logging-log4j2/blob/rel/2.17.1/RELEASE-NOTES.md
> Looks like another RCE
> ([CVE-2021-44832|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832])
> in 2.17.0.
> {code}
> Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix
> releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE)
> attack where an attacker with permission to modify the logging configuration
> file can construct a malicious configuration using a JDBC Appender with a
> data source referencing a JNDI URI which can execute remote code. This issue
> is fixed by limiting JNDI data source names to the java protocol in Log4j2
> versions 2.17.1, 2.12.4, and 2.3.2.
> {code}
> https://www.bleepingcomputer.com/news/security/log4j-2171-out-now-fixes-new-remote-code-execution-bug/
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
