Re: 0-day CVE in log4j

2021-12-20 Thread Maxim Muzafarov 
Vishwas Bm,


I've found the same for the Zookeeper IP finder module.
It seems to me that it must be fixed also.

[1] https://github.com/apache/ignite/blob/master/modules/zookeeper/pom.xml#L114

On Mon, 20 Dec 2021 at 13:39, Vishwas Bm  wrote:
>
> Correct url to rest-http module
>
> https://github.com/apache/ignite/blob/21f7ca41c4348909e2fd26ccf59b5b2ce1f4474e/modules/rest-http/pom.xml#L131
>
> On Mon, 20 Dec, 2021, 16:06 Vishwas Bm,  wrote:
>
> > Hi,
> >
> > Why is ignite rest module still using old log4j version dependency?
> >
> >
> > https://github.com/apache/ignite/blob/21f7ca41c4348909e2fd26ccf59b5b2ce1f4474e/modules/log4j/pom.xml#L46
> >
> > Can this be removed ? There is a critical CVE against this package.
> >
> > Regards,
> > Vishwas
> >
> >
> > On Wed, 15 Dec, 2021, 12:57 Aleksandr Nikolaev, 
> > wrote:
> >
> >> Hi folks,
> >>
> >> Ok i'm update log4j version 2.15 to 2.16
> >>
> >> https://issues.apache.org/jira/browse/IGNITE-16127
> >>
> >>
> >> On 15.12.2021 09:54, Pavel Tupitsyn wrote:
> >> > Igniters,
> >> >
> >> > Looks like we need to update to 2.16, there is an additional attack
> >> vector
> >> > [1]
> >> >
> >> > [1]
> >> >
> >> https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/
> >> >
> >> > On Mon, Dec 13, 2021 at 4:06 PM Maxim Muzafarov 
> >> wrote:
> >> >
> >> >> Folks,
> >> >>
> >> >> Should we describe all the WA available for the issue [1]? There is
> >> >> already a lot of information about CVE, and nevertheless, it will not
> >> >> be superfluous.
> >> >>
> >> >> [1] https://issues.apache.org/jira/browse/IGNITE-16101
> >> >>
> >> >> On Mon, 13 Dec 2021 at 15:37, Ivan Daschinsky 
> >> wrote:
> >> >>> Unfortunately, we need patch our Log4j2 adapter in order to work with
> >> >>> log4j-2.15
> >> >>> So there is no choice other than to release 2.11.1
> >> >>>
> >> >>> пн, 13 дек. 2021 г. в 15:21, Anton Vinogradov :
> >> >>>
> >>  Folks,
> >> 
> >>  My 200 rubles here,
> >> > I want to include it to the 2.12 scope.
> >>  Why not 2.11.1 as well?
> >>  We should provide a fixed version for current customers asap.
> >>  2.12 require migration, while 2.11.1 can be applied as-is.
> >> 
> >> 
> >>  On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington <
> >>  stephen.darling...@gridgain.com> wrote:
> >> 
> >> > Another workaround appears to be using the
> >> > -Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions
> >> greater
> >>  than
> >> > 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack
> >> >> vector,
> >>  at
> >> > least in theory, because the JNDI can't load remote code using
> >> LDAP.”
> >> >
> >> > (
> >> >
> >> >>
> >> https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
> >> > )
> >> >
> >> >> On 12 Dec 2021, at 10:56, Dmitriy Pavlov 
> >> >> wrote:
> >> >> Hi Igniters,
> >> >>
> >> >> Preliminary: change of the log4j version does not affect any tests
> >> >> (Alexander Nikolaev, correct me if I'm wrong).
> >> >>
> >> >> If you're using embedded Ignite, it's perfectly possible to enforce
> >> > jog4j2
> >> >> dependency to be 2.15.0 in your project final pom.xml or
> >> >> build.gradle
> >>  or
> >> >> any other build system properties.
> >> >>
> >> >> https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems
> >> >> to be
> >> >> a blocker for 2.12. But for now, as a workaround, it's possible to
> >>  select
> >> >> the latest version manually.
> >> >>
> >> >> Sincerely,
> >> >> Dmitriy Pavlov
> >> >>
> >> >> сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev  >> >>> :
> >> >>> Hello.
> >> >>>
> >> >>> The issue to update dependency was created:
> >> >>> https://issues.apache.org/jira/browse/IGNITE-16101
> >> >>>
> >> >>> I want to include it to the 2.12 scope.
> >> >>>
> >> >>> сб, 11 дек. 2021 г., 09:19 Raymond Wilson <
> >> >> raymond_wil...@trimble.com
> >> > :
> >>  All
> >> 
> >>  This blew up today: CVE-2021-44228 (
> >> 
> >> 
> >> >>
> >> https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
> >>  )
> >> 
> >>  Will there be a risk assessment with respect to Ignite for this
> >> >> CVE?
> >>  Thanks,
> >>  Raymond.
> >> 
> >>  --
> >>  
> >>  Raymond Wilson
> >>  Trimble Distinguished Engineer, Civil Construction Software (CCS)
> >>  11 Birmingham Drive | Christchurch, New Zealand
> >>  raymond_wil...@trimble.com
> >> 
> >>  <
> >> 
> >> >>
> >> https://worksos.trimble.com/?utm_source=Trimble_medium=emailsign_campaign=Launch
> >> >
> >> >
> >> >>>
> >> >>> --
> >> >>> Sincerely yours,

Re: 0-day CVE in log4j

2021-12-20 Thread Vishwas Bm 
Correct url to rest-http module

https://github.com/apache/ignite/blob/21f7ca41c4348909e2fd26ccf59b5b2ce1f4474e/modules/rest-http/pom.xml#L131

On Mon, 20 Dec, 2021, 16:06 Vishwas Bm,  wrote:

> Hi,
>
> Why is ignite rest module still using old log4j version dependency?
>
>
> https://github.com/apache/ignite/blob/21f7ca41c4348909e2fd26ccf59b5b2ce1f4474e/modules/log4j/pom.xml#L46
>
> Can this be removed ? There is a critical CVE against this package.
>
> Regards,
> Vishwas
>
>
> On Wed, 15 Dec, 2021, 12:57 Aleksandr Nikolaev, 
> wrote:
>
>> Hi folks,
>>
>> Ok i'm update log4j version 2.15 to 2.16
>>
>> https://issues.apache.org/jira/browse/IGNITE-16127
>>
>>
>> On 15.12.2021 09:54, Pavel Tupitsyn wrote:
>> > Igniters,
>> >
>> > Looks like we need to update to 2.16, there is an additional attack
>> vector
>> > [1]
>> >
>> > [1]
>> >
>> https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/
>> >
>> > On Mon, Dec 13, 2021 at 4:06 PM Maxim Muzafarov 
>> wrote:
>> >
>> >> Folks,
>> >>
>> >> Should we describe all the WA available for the issue [1]? There is
>> >> already a lot of information about CVE, and nevertheless, it will not
>> >> be superfluous.
>> >>
>> >> [1] https://issues.apache.org/jira/browse/IGNITE-16101
>> >>
>> >> On Mon, 13 Dec 2021 at 15:37, Ivan Daschinsky 
>> wrote:
>> >>> Unfortunately, we need patch our Log4j2 adapter in order to work with
>> >>> log4j-2.15
>> >>> So there is no choice other than to release 2.11.1
>> >>>
>> >>> пн, 13 дек. 2021 г. в 15:21, Anton Vinogradov :
>> >>>
>>  Folks,
>> 
>>  My 200 rubles here,
>> > I want to include it to the 2.12 scope.
>>  Why not 2.11.1 as well?
>>  We should provide a fixed version for current customers asap.
>>  2.12 require migration, while 2.11.1 can be applied as-is.
>> 
>> 
>>  On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington <
>>  stephen.darling...@gridgain.com> wrote:
>> 
>> > Another workaround appears to be using the
>> > -Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions
>> greater
>>  than
>> > 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack
>> >> vector,
>>  at
>> > least in theory, because the JNDI can't load remote code using
>> LDAP.”
>> >
>> > (
>> >
>> >>
>> https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
>> > )
>> >
>> >> On 12 Dec 2021, at 10:56, Dmitriy Pavlov 
>> >> wrote:
>> >> Hi Igniters,
>> >>
>> >> Preliminary: change of the log4j version does not affect any tests
>> >> (Alexander Nikolaev, correct me if I'm wrong).
>> >>
>> >> If you're using embedded Ignite, it's perfectly possible to enforce
>> > jog4j2
>> >> dependency to be 2.15.0 in your project final pom.xml or
>> >> build.gradle
>>  or
>> >> any other build system properties.
>> >>
>> >> https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems
>> >> to be
>> >> a blocker for 2.12. But for now, as a workaround, it's possible to
>>  select
>> >> the latest version manually.
>> >>
>> >> Sincerely,
>> >> Dmitriy Pavlov
>> >>
>> >> сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev > >>> :
>> >>> Hello.
>> >>>
>> >>> The issue to update dependency was created:
>> >>> https://issues.apache.org/jira/browse/IGNITE-16101
>> >>>
>> >>> I want to include it to the 2.12 scope.
>> >>>
>> >>> сб, 11 дек. 2021 г., 09:19 Raymond Wilson <
>> >> raymond_wil...@trimble.com
>> > :
>>  All
>> 
>>  This blew up today: CVE-2021-44228 (
>> 
>> 
>> >>
>> https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
>>  )
>> 
>>  Will there be a risk assessment with respect to Ignite for this
>> >> CVE?
>>  Thanks,
>>  Raymond.
>> 
>>  --
>>  
>>  Raymond Wilson
>>  Trimble Distinguished Engineer, Civil Construction Software (CCS)
>>  11 Birmingham Drive | Christchurch, New Zealand
>>  raymond_wil...@trimble.com
>> 
>>  <
>> 
>> >>
>> https://worksos.trimble.com/?utm_source=Trimble_medium=emailsign_campaign=Launch
>> >
>> >
>> >>>
>> >>> --
>> >>> Sincerely yours, Ivan Daschinskiy
>>
>

Re: 0-day CVE in log4j

2021-12-20 Thread Vishwas Bm 
Hi,

Why is ignite rest module still using old log4j version dependency?

https://github.com/apache/ignite/blob/21f7ca41c4348909e2fd26ccf59b5b2ce1f4474e/modules/log4j/pom.xml#L46

Can this be removed ? There is a critical CVE against this package.

Regards,
Vishwas


On Wed, 15 Dec, 2021, 12:57 Aleksandr Nikolaev, 
wrote:

> Hi folks,
>
> Ok i'm update log4j version 2.15 to 2.16
>
> https://issues.apache.org/jira/browse/IGNITE-16127
>
>
> On 15.12.2021 09:54, Pavel Tupitsyn wrote:
> > Igniters,
> >
> > Looks like we need to update to 2.16, there is an additional attack
> vector
> > [1]
> >
> > [1]
> >
> https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/
> >
> > On Mon, Dec 13, 2021 at 4:06 PM Maxim Muzafarov 
> wrote:
> >
> >> Folks,
> >>
> >> Should we describe all the WA available for the issue [1]? There is
> >> already a lot of information about CVE, and nevertheless, it will not
> >> be superfluous.
> >>
> >> [1] https://issues.apache.org/jira/browse/IGNITE-16101
> >>
> >> On Mon, 13 Dec 2021 at 15:37, Ivan Daschinsky 
> wrote:
> >>> Unfortunately, we need patch our Log4j2 adapter in order to work with
> >>> log4j-2.15
> >>> So there is no choice other than to release 2.11.1
> >>>
> >>> пн, 13 дек. 2021 г. в 15:21, Anton Vinogradov :
> >>>
>  Folks,
> 
>  My 200 rubles here,
> > I want to include it to the 2.12 scope.
>  Why not 2.11.1 as well?
>  We should provide a fixed version for current customers asap.
>  2.12 require migration, while 2.11.1 can be applied as-is.
> 
> 
>  On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington <
>  stephen.darling...@gridgain.com> wrote:
> 
> > Another workaround appears to be using the
> > -Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions greater
>  than
> > 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack
> >> vector,
>  at
> > least in theory, because the JNDI can't load remote code using LDAP.”
> >
> > (
> >
> >>
> https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
> > )
> >
> >> On 12 Dec 2021, at 10:56, Dmitriy Pavlov 
> >> wrote:
> >> Hi Igniters,
> >>
> >> Preliminary: change of the log4j version does not affect any tests
> >> (Alexander Nikolaev, correct me if I'm wrong).
> >>
> >> If you're using embedded Ignite, it's perfectly possible to enforce
> > jog4j2
> >> dependency to be 2.15.0 in your project final pom.xml or
> >> build.gradle
>  or
> >> any other build system properties.
> >>
> >> https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems
> >> to be
> >> a blocker for 2.12. But for now, as a workaround, it's possible to
>  select
> >> the latest version manually.
> >>
> >> Sincerely,
> >> Dmitriy Pavlov
> >>
> >> сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev  >>> :
> >>> Hello.
> >>>
> >>> The issue to update dependency was created:
> >>> https://issues.apache.org/jira/browse/IGNITE-16101
> >>>
> >>> I want to include it to the 2.12 scope.
> >>>
> >>> сб, 11 дек. 2021 г., 09:19 Raymond Wilson <
> >> raymond_wil...@trimble.com
> > :
>  All
> 
>  This blew up today: CVE-2021-44228 (
> 
> 
> >>
> https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
>  )
> 
>  Will there be a risk assessment with respect to Ignite for this
> >> CVE?
>  Thanks,
>  Raymond.
> 
>  --
>  
>  Raymond Wilson
>  Trimble Distinguished Engineer, Civil Construction Software (CCS)
>  11 Birmingham Drive | Christchurch, New Zealand
>  raymond_wil...@trimble.com
> 
>  <
> 
> >>
> https://worksos.trimble.com/?utm_source=Trimble_medium=emailsign_campaign=Launch
> >
> >
> >>>
> >>> --
> >>> Sincerely yours, Ivan Daschinskiy
>

Re: 0-day CVE in log4j

2021-12-14 Thread Aleksandr Nikolaev 

Hi folks,

Ok i'm update log4j version 2.15 to 2.16

https://issues.apache.org/jira/browse/IGNITE-16127


On 15.12.2021 09:54, Pavel Tupitsyn wrote:

Igniters,

Looks like we need to update to 2.16, there is an additional attack vector
[1]

[1]
https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/

On Mon, Dec 13, 2021 at 4:06 PM Maxim Muzafarov  wrote:


Folks,

Should we describe all the WA available for the issue [1]? There is
already a lot of information about CVE, and nevertheless, it will not
be superfluous.

[1] https://issues.apache.org/jira/browse/IGNITE-16101

On Mon, 13 Dec 2021 at 15:37, Ivan Daschinsky  wrote:

Unfortunately, we need patch our Log4j2 adapter in order to work with
log4j-2.15
So there is no choice other than to release 2.11.1

пн, 13 дек. 2021 г. в 15:21, Anton Vinogradov :


Folks,

My 200 rubles here,

I want to include it to the 2.12 scope.

Why not 2.11.1 as well?
We should provide a fixed version for current customers asap.
2.12 require migration, while 2.11.1 can be applied as-is.


On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington <
stephen.darling...@gridgain.com> wrote:


Another workaround appears to be using the
-Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions greater

than

6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack

vector,

at

least in theory, because the JNDI can't load remote code using LDAP.”

(


https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/

)


On 12 Dec 2021, at 10:56, Dmitriy Pavlov 

wrote:

Hi Igniters,

Preliminary: change of the log4j version does not affect any tests
(Alexander Nikolaev, correct me if I'm wrong).

If you're using embedded Ignite, it's perfectly possible to enforce

jog4j2

dependency to be 2.15.0 in your project final pom.xml or

build.gradle

or

any other build system properties.

https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems

to be

a blocker for 2.12. But for now, as a workaround, it's possible to

select

the latest version manually.

Sincerely,
Dmitriy Pavlov

сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev 
:

Hello.

The issue to update dependency was created:
https://issues.apache.org/jira/browse/IGNITE-16101

I want to include it to the 2.12 scope.

сб, 11 дек. 2021 г., 09:19 Raymond Wilson <

raymond_wil...@trimble.com

:

All

This blew up today: CVE-2021-44228 (



https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/

)

Will there be a risk assessment with respect to Ignite for this

CVE?

Thanks,
Raymond.

--

Raymond Wilson
Trimble Distinguished Engineer, Civil Construction Software (CCS)
11 Birmingham Drive | Christchurch, New Zealand
raymond_wil...@trimble.com

<


https://worksos.trimble.com/?utm_source=Trimble_medium=emailsign_campaign=Launch





--
Sincerely yours, Ivan Daschinskiy

Re: 0-day CVE in log4j

2021-12-14 Thread Pavel Tupitsyn 
Igniters,

Looks like we need to update to 2.16, there is an additional attack vector
[1]

[1]
https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/

On Mon, Dec 13, 2021 at 4:06 PM Maxim Muzafarov  wrote:

> Folks,
>
> Should we describe all the WA available for the issue [1]? There is
> already a lot of information about CVE, and nevertheless, it will not
> be superfluous.
>
> [1] https://issues.apache.org/jira/browse/IGNITE-16101
>
> On Mon, 13 Dec 2021 at 15:37, Ivan Daschinsky  wrote:
> >
> > Unfortunately, we need patch our Log4j2 adapter in order to work with
> > log4j-2.15
> > So there is no choice other than to release 2.11.1
> >
> > пн, 13 дек. 2021 г. в 15:21, Anton Vinogradov :
> >
> > > Folks,
> > >
> > > My 200 rubles here,
> > > > I want to include it to the 2.12 scope.
> > > Why not 2.11.1 as well?
> > > We should provide a fixed version for current customers asap.
> > > 2.12 require migration, while 2.11.1 can be applied as-is.
> > >
> > >
> > > On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington <
> > > stephen.darling...@gridgain.com> wrote:
> > >
> > > > Another workaround appears to be using the
> > > > -Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions greater
> > > than
> > > > 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack
> vector,
> > > at
> > > > least in theory, because the JNDI can't load remote code using LDAP.”
> > > >
> > > > (
> > > >
> > >
> https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
> > > > )
> > > >
> > > > > On 12 Dec 2021, at 10:56, Dmitriy Pavlov 
> wrote:
> > > > >
> > > > > Hi Igniters,
> > > > >
> > > > > Preliminary: change of the log4j version does not affect any tests
> > > > > (Alexander Nikolaev, correct me if I'm wrong).
> > > > >
> > > > > If you're using embedded Ignite, it's perfectly possible to enforce
> > > > jog4j2
> > > > > dependency to be 2.15.0 in your project final pom.xml or
> build.gradle
> > > or
> > > > > any other build system properties.
> > > > >
> > > > > https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems
> to be
> > > > > a blocker for 2.12. But for now, as a workaround, it's possible to
> > > select
> > > > > the latest version manually.
> > > > >
> > > > > Sincerely,
> > > > > Dmitriy Pavlov
> > > > >
> > > > > сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev  >:
> > > > >
> > > > >> Hello.
> > > > >>
> > > > >> The issue to update dependency was created:
> > > > >> https://issues.apache.org/jira/browse/IGNITE-16101
> > > > >>
> > > > >> I want to include it to the 2.12 scope.
> > > > >>
> > > > >> сб, 11 дек. 2021 г., 09:19 Raymond Wilson <
> raymond_wil...@trimble.com
> > > >:
> > > > >>
> > > > >>> All
> > > > >>>
> > > > >>> This blew up today: CVE-2021-44228 (
> > > > >>>
> > > > >>>
> > > > >>
> > > >
> > >
> https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
> > > > >>> )
> > > > >>>
> > > > >>> Will there be a risk assessment with respect to Ignite for this
> CVE?
> > > > >>>
> > > > >>> Thanks,
> > > > >>> Raymond.
> > > > >>>
> > > > >>> --
> > > > >>> 
> > > > >>> Raymond Wilson
> > > > >>> Trimble Distinguished Engineer, Civil Construction Software (CCS)
> > > > >>> 11 Birmingham Drive | Christchurch, New Zealand
> > > > >>> raymond_wil...@trimble.com
> > > > >>>
> > > > >>> <
> > > > >>>
> > > > >>
> > > >
> > >
> https://worksos.trimble.com/?utm_source=Trimble_medium=emailsign_campaign=Launch
> > > > 
> > > > >>>
> > > > >>
> > > >
> > > >
> > > >
> > >
> >
> >
> > --
> > Sincerely yours, Ivan Daschinskiy
>

Re: 0-day CVE in log4j

2021-12-13 Thread Maxim Muzafarov 
Folks,

Should we describe all the WA available for the issue [1]? There is
already a lot of information about CVE, and nevertheless, it will not
be superfluous.

[1] https://issues.apache.org/jira/browse/IGNITE-16101

On Mon, 13 Dec 2021 at 15:37, Ivan Daschinsky  wrote:
>
> Unfortunately, we need patch our Log4j2 adapter in order to work with
> log4j-2.15
> So there is no choice other than to release 2.11.1
>
> пн, 13 дек. 2021 г. в 15:21, Anton Vinogradov :
>
> > Folks,
> >
> > My 200 rubles here,
> > > I want to include it to the 2.12 scope.
> > Why not 2.11.1 as well?
> > We should provide a fixed version for current customers asap.
> > 2.12 require migration, while 2.11.1 can be applied as-is.
> >
> >
> > On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington <
> > stephen.darling...@gridgain.com> wrote:
> >
> > > Another workaround appears to be using the
> > > -Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions greater
> > than
> > > 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack vector,
> > at
> > > least in theory, because the JNDI can't load remote code using LDAP.”
> > >
> > > (
> > >
> > https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
> > > )
> > >
> > > > On 12 Dec 2021, at 10:56, Dmitriy Pavlov  wrote:
> > > >
> > > > Hi Igniters,
> > > >
> > > > Preliminary: change of the log4j version does not affect any tests
> > > > (Alexander Nikolaev, correct me if I'm wrong).
> > > >
> > > > If you're using embedded Ignite, it's perfectly possible to enforce
> > > jog4j2
> > > > dependency to be 2.15.0 in your project final pom.xml or build.gradle
> > or
> > > > any other build system properties.
> > > >
> > > > https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems to be
> > > > a blocker for 2.12. But for now, as a workaround, it's possible to
> > select
> > > > the latest version manually.
> > > >
> > > > Sincerely,
> > > > Dmitriy Pavlov
> > > >
> > > > сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev :
> > > >
> > > >> Hello.
> > > >>
> > > >> The issue to update dependency was created:
> > > >> https://issues.apache.org/jira/browse/IGNITE-16101
> > > >>
> > > >> I want to include it to the 2.12 scope.
> > > >>
> > > >> сб, 11 дек. 2021 г., 09:19 Raymond Wilson  > >:
> > > >>
> > > >>> All
> > > >>>
> > > >>> This blew up today: CVE-2021-44228 (
> > > >>>
> > > >>>
> > > >>
> > >
> > https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
> > > >>> )
> > > >>>
> > > >>> Will there be a risk assessment with respect to Ignite for this CVE?
> > > >>>
> > > >>> Thanks,
> > > >>> Raymond.
> > > >>>
> > > >>> --
> > > >>> 
> > > >>> Raymond Wilson
> > > >>> Trimble Distinguished Engineer, Civil Construction Software (CCS)
> > > >>> 11 Birmingham Drive | Christchurch, New Zealand
> > > >>> raymond_wil...@trimble.com
> > > >>>
> > > >>> <
> > > >>>
> > > >>
> > >
> > https://worksos.trimble.com/?utm_source=Trimble_medium=emailsign_campaign=Launch
> > > 
> > > >>>
> > > >>
> > >
> > >
> > >
> >
>
>
> --
> Sincerely yours, Ivan Daschinskiy

Re: 0-day CVE in log4j

2021-12-13 Thread Ivan Daschinsky 
Unfortunately, we need patch our Log4j2 adapter in order to work with
log4j-2.15
So there is no choice other than to release 2.11.1

пн, 13 дек. 2021 г. в 15:21, Anton Vinogradov :

> Folks,
>
> My 200 rubles here,
> > I want to include it to the 2.12 scope.
> Why not 2.11.1 as well?
> We should provide a fixed version for current customers asap.
> 2.12 require migration, while 2.11.1 can be applied as-is.
>
>
> On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington <
> stephen.darling...@gridgain.com> wrote:
>
> > Another workaround appears to be using the
> > -Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions greater
> than
> > 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack vector,
> at
> > least in theory, because the JNDI can't load remote code using LDAP.”
> >
> > (
> >
> https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
> > )
> >
> > > On 12 Dec 2021, at 10:56, Dmitriy Pavlov  wrote:
> > >
> > > Hi Igniters,
> > >
> > > Preliminary: change of the log4j version does not affect any tests
> > > (Alexander Nikolaev, correct me if I'm wrong).
> > >
> > > If you're using embedded Ignite, it's perfectly possible to enforce
> > jog4j2
> > > dependency to be 2.15.0 in your project final pom.xml or build.gradle
> or
> > > any other build system properties.
> > >
> > > https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems to be
> > > a blocker for 2.12. But for now, as a workaround, it's possible to
> select
> > > the latest version manually.
> > >
> > > Sincerely,
> > > Dmitriy Pavlov
> > >
> > > сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev :
> > >
> > >> Hello.
> > >>
> > >> The issue to update dependency was created:
> > >> https://issues.apache.org/jira/browse/IGNITE-16101
> > >>
> > >> I want to include it to the 2.12 scope.
> > >>
> > >> сб, 11 дек. 2021 г., 09:19 Raymond Wilson  >:
> > >>
> > >>> All
> > >>>
> > >>> This blew up today: CVE-2021-44228 (
> > >>>
> > >>>
> > >>
> >
> https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
> > >>> )
> > >>>
> > >>> Will there be a risk assessment with respect to Ignite for this CVE?
> > >>>
> > >>> Thanks,
> > >>> Raymond.
> > >>>
> > >>> --
> > >>> 
> > >>> Raymond Wilson
> > >>> Trimble Distinguished Engineer, Civil Construction Software (CCS)
> > >>> 11 Birmingham Drive | Christchurch, New Zealand
> > >>> raymond_wil...@trimble.com
> > >>>
> > >>> <
> > >>>
> > >>
> >
> https://worksos.trimble.com/?utm_source=Trimble_medium=emailsign_campaign=Launch
> > 
> > >>>
> > >>
> >
> >
> >
>


-- 
Sincerely yours, Ivan Daschinskiy

Re: 0-day CVE in log4j

2021-12-13 Thread Maxim Muzafarov 
+1 for the 2.11.1

On Mon, 13 Dec 2021 at 15:21, Anton Vinogradov  wrote:
>
> Folks,
>
> My 200 rubles here,
> > I want to include it to the 2.12 scope.
> Why not 2.11.1 as well?
> We should provide a fixed version for current customers asap.
> 2.12 require migration, while 2.11.1 can be applied as-is.
>
>
> On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington <
> stephen.darling...@gridgain.com> wrote:
>
> > Another workaround appears to be using the
> > -Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions greater than
> > 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack vector, at
> > least in theory, because the JNDI can't load remote code using LDAP.”
> >
> > (
> > https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
> > )
> >
> > > On 12 Dec 2021, at 10:56, Dmitriy Pavlov  wrote:
> > >
> > > Hi Igniters,
> > >
> > > Preliminary: change of the log4j version does not affect any tests
> > > (Alexander Nikolaev, correct me if I'm wrong).
> > >
> > > If you're using embedded Ignite, it's perfectly possible to enforce
> > jog4j2
> > > dependency to be 2.15.0 in your project final pom.xml or build.gradle or
> > > any other build system properties.
> > >
> > > https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems to be
> > > a blocker for 2.12. But for now, as a workaround, it's possible to select
> > > the latest version manually.
> > >
> > > Sincerely,
> > > Dmitriy Pavlov
> > >
> > > сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev :
> > >
> > >> Hello.
> > >>
> > >> The issue to update dependency was created:
> > >> https://issues.apache.org/jira/browse/IGNITE-16101
> > >>
> > >> I want to include it to the 2.12 scope.
> > >>
> > >> сб, 11 дек. 2021 г., 09:19 Raymond Wilson :
> > >>
> > >>> All
> > >>>
> > >>> This blew up today: CVE-2021-44228 (
> > >>>
> > >>>
> > >>
> > https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
> > >>> )
> > >>>
> > >>> Will there be a risk assessment with respect to Ignite for this CVE?
> > >>>
> > >>> Thanks,
> > >>> Raymond.
> > >>>
> > >>> --
> > >>> 
> > >>> Raymond Wilson
> > >>> Trimble Distinguished Engineer, Civil Construction Software (CCS)
> > >>> 11 Birmingham Drive | Christchurch, New Zealand
> > >>> raymond_wil...@trimble.com
> > >>>
> > >>> <
> > >>>
> > >>
> > https://worksos.trimble.com/?utm_source=Trimble_medium=emailsign_campaign=Launch
> > 
> > >>>
> > >>
> >
> >
> >

Re: 0-day CVE in log4j

2021-12-13 Thread Anton Vinogradov 
Folks,

My 200 rubles here,
> I want to include it to the 2.12 scope.
Why not 2.11.1 as well?
We should provide a fixed version for current customers asap.
2.12 require migration, while 2.11.1 can be applied as-is.


On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington <
stephen.darling...@gridgain.com> wrote:

> Another workaround appears to be using the
> -Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions greater than
> 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack vector, at
> least in theory, because the JNDI can't load remote code using LDAP.”
>
> (
> https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
> )
>
> > On 12 Dec 2021, at 10:56, Dmitriy Pavlov  wrote:
> >
> > Hi Igniters,
> >
> > Preliminary: change of the log4j version does not affect any tests
> > (Alexander Nikolaev, correct me if I'm wrong).
> >
> > If you're using embedded Ignite, it's perfectly possible to enforce
> jog4j2
> > dependency to be 2.15.0 in your project final pom.xml or build.gradle or
> > any other build system properties.
> >
> > https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems to be
> > a blocker for 2.12. But for now, as a workaround, it's possible to select
> > the latest version manually.
> >
> > Sincerely,
> > Dmitriy Pavlov
> >
> > сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev :
> >
> >> Hello.
> >>
> >> The issue to update dependency was created:
> >> https://issues.apache.org/jira/browse/IGNITE-16101
> >>
> >> I want to include it to the 2.12 scope.
> >>
> >> сб, 11 дек. 2021 г., 09:19 Raymond Wilson :
> >>
> >>> All
> >>>
> >>> This blew up today: CVE-2021-44228 (
> >>>
> >>>
> >>
> https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
> >>> )
> >>>
> >>> Will there be a risk assessment with respect to Ignite for this CVE?
> >>>
> >>> Thanks,
> >>> Raymond.
> >>>
> >>> --
> >>> 
> >>> Raymond Wilson
> >>> Trimble Distinguished Engineer, Civil Construction Software (CCS)
> >>> 11 Birmingham Drive | Christchurch, New Zealand
> >>> raymond_wil...@trimble.com
> >>>
> >>> <
> >>>
> >>
> https://worksos.trimble.com/?utm_source=Trimble_medium=emailsign_campaign=Launch
> 
> >>>
> >>
>
>
>

Re: 0-day CVE in log4j

2021-12-13 Thread Stephen Darlington 
Another workaround appears to be using the -Dlog4j2.formatMsgNoLookups=true 
option. Also, “Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 are 
less affected by this attack vector, at least in theory, because the JNDI can't 
load remote code using LDAP.”

(https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/)

> On 12 Dec 2021, at 10:56, Dmitriy Pavlov  wrote:
> 
> Hi Igniters,
> 
> Preliminary: change of the log4j version does not affect any tests
> (Alexander Nikolaev, correct me if I'm wrong).
> 
> If you're using embedded Ignite, it's perfectly possible to enforce jog4j2
> dependency to be 2.15.0 in your project final pom.xml or build.gradle or
> any other build system properties.
> 
> https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems to be
> a blocker for 2.12. But for now, as a workaround, it's possible to select
> the latest version manually.
> 
> Sincerely,
> Dmitriy Pavlov
> 
> сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev :
> 
>> Hello.
>> 
>> The issue to update dependency was created:
>> https://issues.apache.org/jira/browse/IGNITE-16101
>> 
>> I want to include it to the 2.12 scope.
>> 
>> сб, 11 дек. 2021 г., 09:19 Raymond Wilson :
>> 
>>> All
>>> 
>>> This blew up today: CVE-2021-44228 (
>>> 
>>> 
>> https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
>>> )
>>> 
>>> Will there be a risk assessment with respect to Ignite for this CVE?
>>> 
>>> Thanks,
>>> Raymond.
>>> 
>>> --
>>> 
>>> Raymond Wilson
>>> Trimble Distinguished Engineer, Civil Construction Software (CCS)
>>> 11 Birmingham Drive | Christchurch, New Zealand
>>> raymond_wil...@trimble.com
>>> 
>>> <
>>> 
>> https://worksos.trimble.com/?utm_source=Trimble_medium=emailsign_campaign=Launch
 
>>> 
>>

Re: 0-day CVE in log4j

2021-12-12 Thread Dmitriy Pavlov 
Hi Igniters,

Preliminary: change of the log4j version does not affect any tests
(Alexander Nikolaev, correct me if I'm wrong).

If you're using embedded Ignite, it's perfectly possible to enforce jog4j2
dependency to be 2.15.0 in your project final pom.xml or build.gradle or
any other build system properties.

https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems to be
a blocker for 2.12. But for now, as a workaround, it's possible to select
the latest version manually.

Sincerely,
Dmitriy Pavlov

сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev :

> Hello.
>
> The issue to update dependency was created:
> https://issues.apache.org/jira/browse/IGNITE-16101
>
> I want to include it to the 2.12 scope.
>
> сб, 11 дек. 2021 г., 09:19 Raymond Wilson :
>
> > All
> >
> > This blew up today: CVE-2021-44228 (
> >
> >
> https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
> > )
> >
> > Will there be a risk assessment with respect to Ignite for this CVE?
> >
> > Thanks,
> > Raymond.
> >
> > --
> > 
> > Raymond Wilson
> > Trimble Distinguished Engineer, Civil Construction Software (CCS)
> > 11 Birmingham Drive | Christchurch, New Zealand
> > raymond_wil...@trimble.com
> >
> > <
> >
> https://worksos.trimble.com/?utm_source=Trimble_medium=emailsign_campaign=Launch
> > >
> >
>

Re: 0-day CVE in log4j

2021-12-10 Thread Nikita Amelchev 
Hello.

The issue to update dependency was created:
https://issues.apache.org/jira/browse/IGNITE-16101

I want to include it to the 2.12 scope.

сб, 11 дек. 2021 г., 09:19 Raymond Wilson :

> All
>
> This blew up today: CVE-2021-44228 (
>
> https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
> )
>
> Will there be a risk assessment with respect to Ignite for this CVE?
>
> Thanks,
> Raymond.
>
> --
> 
> Raymond Wilson
> Trimble Distinguished Engineer, Civil Construction Software (CCS)
> 11 Birmingham Drive | Christchurch, New Zealand
> raymond_wil...@trimble.com
>
> <
> https://worksos.trimble.com/?utm_source=Trimble_medium=emailsign_campaign=Launch
> >
>