RE: Recent log4j vulnerability
Would 3.11 be considered as well? This would also then keep (stupid/static) sec scans silent in regard to https://nvd.nist.gov/vuln/detail/CVE-2017-5929 Thanks -Original Message- From: J. D. Jordan Sent: Dienstag, 14. Dezember 2021 16:27 To: dev@cassandra.apache.org Subject: Re: Recent log4j vulnerability Doesn’t hurt to upgrade. But no exploit there as far as I can see? If someone can update your config files to point them to JNDI, you have worse problems than that. Like they can probably update your config files to just completely open up JMX access or what ever also. > On Dec 14, 2021, at 9:17 AM, Brandon Williams wrote: > > The POC seems to require the attacker be able to upload a file that > overwrites the configuration, with hot reloading enabled. We do have > hot reloading enabled but there's no inherent way to overwrite the > config. > > That said with logback currently at 1.2.3 (in trunk), perhaps we > should consider an upgrade for safety. > >> On Tue, Dec 14, 2021 at 8:50 AM Steinmaurer, Thomas >> wrote: >> >> Any thoughts what the logback folks have been filed here? >> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjir >> a.qos.ch%2Fbrowse%2FLOGBACK-1591data=04%7C01%7Cthomas.steinmaure >> r%40dynatrace.com%7C3c8fc229b1ae41d67d3908d9bf177d1a%7C70ebe3a35b3043 >> 5d9d677716d74ca190%7C1%7C0%7C637750929883113638%7CUnknown%7CTWFpbGZsb >> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D >> %7C3000sdata=Y2uKdA2lBJui3eOgv6NxDsA4P3knHmQnKDQfHbJXjPY%3D >> reserved=0 >> >> Thanks! >> >> -Original Message- >> From: Brandon Williams >> Sent: Sonntag, 12. Dezember 2021 18:56 >> To: dev@cassandra.apache.org >> Subject: Recent log4j vulnerability >> >> I replied to a user- post about this, but thought it was worth repeating it >> here. >> >> In >> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCASSANDRA-5883data=04%7C01%7Cthomas.steinmaurer%40dynatrace.com%7C3c8fc229b1ae41d67d3908d9bf177d1a%7C70ebe3a35b30435d9d677716d74ca190%7C1%7C0%7C637750929883113638%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=xNXgCyJwyqNmNQ375upcg5JK4cv%2F6up25btbVyqxqp8%3Dreserved=0 >> you can see where Apache Cassandra never chose to use log4j2 (preferring >> logback instead), and thus is not, and has never been, vulnerable to this >> RCE. >> >> Kind Regards, >> Brandon >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org >> For additional commands, e-mail: dev-h...@cassandra.apache.org >> >> This email may contain confidential information. If it appears this message >> was sent to you by mistake, please let us know of the error. In this case, >> we also ask that you do not further forward the content and delete it. Thank >> you for your cooperation and understanding. Dynatrace Austria GmbH >> (registration number FN 91482h) is a company registered in Linz whose >> registered office is at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20. >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org >> For additional commands, e-mail: dev-h...@cassandra.apache.org >> > > - > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org This email may contain confidential information. If it appears this message was sent to you by mistake, please let us know of the error. In this case, we also ask that you do not further forward the content and delete it. Thank you for your cooperation and understanding. Dynatrace Austria GmbH (registration number FN 91482h) is a company registered in Linz whose registered office is at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20. - To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
Re: Recent log4j vulnerability
Doesn’t hurt to upgrade. But no exploit there as far as I can see? If someone can update your config files to point them to JNDI, you have worse problems than that. Like they can probably update your config files to just completely open up JMX access or what ever also. > On Dec 14, 2021, at 9:17 AM, Brandon Williams wrote: > > The POC seems to require the attacker be able to upload a file that > overwrites the configuration, with hot reloading enabled. We do have > hot reloading enabled but there's no inherent way to overwrite the > config. > > That said with logback currently at 1.2.3 (in trunk), perhaps we > should consider an upgrade for safety. > >> On Tue, Dec 14, 2021 at 8:50 AM Steinmaurer, Thomas >> wrote: >> >> Any thoughts what the logback folks have been filed here? >> https://jira.qos.ch/browse/LOGBACK-1591 >> >> Thanks! >> >> -Original Message- >> From: Brandon Williams >> Sent: Sonntag, 12. Dezember 2021 18:56 >> To: dev@cassandra.apache.org >> Subject: Recent log4j vulnerability >> >> I replied to a user- post about this, but thought it was worth repeating it >> here. >> >> In >> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCASSANDRA-5883data=04%7C01%7Cthomas.steinmaurer%40dynatrace.com%7C8016a1aeed8c4589cbe408d9bd9a0920%7C70ebe3a35b30435d9d677716d74ca190%7C1%7C0%7C637749291586596208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=0klDN4WmFkt876OCsXL%2FX%2FUXa%2FrsxmwCKFgmnP4Lctw%3Dreserved=0 >> you can see where Apache Cassandra never chose to use log4j2 (preferring >> logback instead), and thus is not, and has never been, vulnerable to this >> RCE. >> >> Kind Regards, >> Brandon >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org >> For additional commands, e-mail: dev-h...@cassandra.apache.org >> >> This email may contain confidential information. If it appears this message >> was sent to you by mistake, please let us know of the error. In this case, >> we also ask that you do not further forward the content and delete it. Thank >> you for your cooperation and understanding. Dynatrace Austria GmbH >> (registration number FN 91482h) is a company registered in Linz whose >> registered office is at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20. >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org >> For additional commands, e-mail: dev-h...@cassandra.apache.org >> > > - > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
Re: Recent log4j vulnerability
The POC seems to require the attacker be able to upload a file that overwrites the configuration, with hot reloading enabled. We do have hot reloading enabled but there's no inherent way to overwrite the config. That said with logback currently at 1.2.3 (in trunk), perhaps we should consider an upgrade for safety. On Tue, Dec 14, 2021 at 8:50 AM Steinmaurer, Thomas wrote: > > Any thoughts what the logback folks have been filed here? > https://jira.qos.ch/browse/LOGBACK-1591 > > Thanks! > > -Original Message- > From: Brandon Williams > Sent: Sonntag, 12. Dezember 2021 18:56 > To: dev@cassandra.apache.org > Subject: Recent log4j vulnerability > > I replied to a user- post about this, but thought it was worth repeating it > here. > > In > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCASSANDRA-5883data=04%7C01%7Cthomas.steinmaurer%40dynatrace.com%7C8016a1aeed8c4589cbe408d9bd9a0920%7C70ebe3a35b30435d9d677716d74ca190%7C1%7C0%7C637749291586596208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=0klDN4WmFkt876OCsXL%2FX%2FUXa%2FrsxmwCKFgmnP4Lctw%3Dreserved=0 > you can see where Apache Cassandra never chose to use log4j2 (preferring > logback instead), and thus is not, and has never been, vulnerable to this RCE. > > Kind Regards, > Brandon > > - > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > > This email may contain confidential information. If it appears this message > was sent to you by mistake, please let us know of the error. In this case, we > also ask that you do not further forward the content and delete it. Thank you > for your cooperation and understanding. Dynatrace Austria GmbH (registration > number FN 91482h) is a company registered in Linz whose registered office is > at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20. > > - > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
RE: Recent log4j vulnerability
Any thoughts what the logback folks have been filed here? https://jira.qos.ch/browse/LOGBACK-1591 Thanks! -Original Message- From: Brandon Williams Sent: Sonntag, 12. Dezember 2021 18:56 To: dev@cassandra.apache.org Subject: Recent log4j vulnerability I replied to a user- post about this, but thought it was worth repeating it here. In https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCASSANDRA-5883data=04%7C01%7Cthomas.steinmaurer%40dynatrace.com%7C8016a1aeed8c4589cbe408d9bd9a0920%7C70ebe3a35b30435d9d677716d74ca190%7C1%7C0%7C637749291586596208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=0klDN4WmFkt876OCsXL%2FX%2FUXa%2FrsxmwCKFgmnP4Lctw%3Dreserved=0 you can see where Apache Cassandra never chose to use log4j2 (preferring logback instead), and thus is not, and has never been, vulnerable to this RCE. Kind Regards, Brandon - To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org This email may contain confidential information. If it appears this message was sent to you by mistake, please let us know of the error. In this case, we also ask that you do not further forward the content and delete it. Thank you for your cooperation and understanding. Dynatrace Austria GmbH (registration number FN 91482h) is a company registered in Linz whose registered office is at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20. - To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
