[
https://issues.apache.org/jira/browse/RATIS-1477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tsz-wo Sze updated RATIS-1477:
------------------------------
Description:
According to https://www.slf4j.org/log4shell.html ,
{quote}
..., log4j 1.x comes with JMSAppender which will perform a JNDI lookup if
enabled in log4j's configuration file, i.e. log4j.properties or log4j.xml.
{quote}
Therefore, it is better to exclude JMSAppender.class from the generated jar.
See also [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104].
was:
According to https://www.slf4j.org/log4shell.html ,
{quote}
..., log4j 1.x comes with JMSAppender which will perform a JNDI lookup if
enabled in log4j's configuration file, i.e. log4j.properties or log4j.xml.
{quote}
Therefore, it is better to exclude JMSAppender.class from the generated jar.
> Exclude log4j JMSAppender.class in jar
> --------------------------------------
>
> Key: RATIS-1477
> URL: https://issues.apache.org/jira/browse/RATIS-1477
> Project: Ratis
> Issue Type: Improvement
> Components: build
> Reporter: Tsz-wo Sze
> Assignee: Tsz-wo Sze
> Priority: Major
> Fix For: 2.3.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> According to https://www.slf4j.org/log4shell.html ,
> {quote}
> ..., log4j 1.x comes with JMSAppender which will perform a JNDI lookup if
> enabled in log4j's configuration file, i.e. log4j.properties or log4j.xml.
> {quote}
> Therefore, it is better to exclude JMSAppender.class from the generated jar.
> See also [CVE-2021-4104|https://nvd.nist.gov/vuln/detail/CVE-2021-4104].
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
