[jira] [Commented] (OFBIZ-12470) [SECURITY] CVE-2021-45105: Apache Log4j2
[ https://issues.apache.org/jira/browse/OFBIZ-12470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17469909#comment-17469909 ] ASF subversion and git services commented on OFBIZ-12470: - Commit 00896e73bce0ab3cb9541c37a4405b23d32911c0 in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=00896e7 ] Fixed: Announce 17.12.09 EOL (OFBIZ-12479) Includes: [SECURITY] CVE-2021-44228: Apache Log4j2 (OFBIZ-12449) [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470) [SECURITY] Update TIka because of Apache Log4j2 vulnerability (OFBIZ-12474) [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475) > [SECURITY] CVE-2021-45105: Apache Log4j2 > > > Key: OFBIZ-12470 > URL: https://issues.apache.org/jira/browse/OFBIZ-12470 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: 18.12.03 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > Fix For: 18.12.04 > > > CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not > protect from uncontrolled recursion from self-referential lookups. This > allows an attacker with control over Thread Context Map data to cause a > denial of service when a crafted string is interpreted. This issue is fixed > in Log4j 2.17.0.: https://logging.apache.org/log4j/2.x/security.html -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12470) [SECURITY] CVE-2021-45105: Apache Log4j2
[ https://issues.apache.org/jira/browse/OFBIZ-12470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462097#comment-17462097 ] ASF subversion and git services commented on OFBIZ-12470: - Commit 4cff613b18dfbe7278b0f241cbc598a5fb8bbc18 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=4cff613 ] Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470) The configuration seems to have changed. log4j-slf4j18-impl available in Maven as 2.16.0 is not in 2.17.0. Also log4j-web is now needed. In R18 as compile when in trunk as readonly... I was guided by this block in console.log of trunk demo: Caused by: java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/util/SetUtils at org.apache.logging.log4j.web.Log4jWebInitializerImpl.getConfigURI(Log4jWebInitializerImpl.java:196) at org.apache.logging.log4j.web.Log4jWebInitializerImpl.initializeNonJndi(Log4jWebInitializerImpl.java:175) at org.apache.logging.log4j.web.Log4jWebInitializerImpl.start(Log4jWebInitializerImpl.java:112) at org.apache.logging.log4j.web.Log4jServletContainerInitializer.onStartup(Log4jServletContainerInitializer.java:57) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5219) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) I'll dbl-check why, notably about log4j-slf4j18-impl. At least it works well like that. > [SECURITY] CVE-2021-45105: Apache Log4j2 > > > Key: OFBIZ-12470 > URL: https://issues.apache.org/jira/browse/OFBIZ-12470 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: 18.12.04 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > > CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not > protect from uncontrolled recursion from self-referential lookups. This > allows an attacker with control over Thread Context Map data to cause a > denial of service when a crafted string is interpreted. This issue is fixed > in Log4j 2.17.0.: https://logging.apache.org/log4j/2.x/security.html -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12470) [SECURITY] CVE-2021-45105: Apache Log4j2
[ https://issues.apache.org/jira/browse/OFBIZ-12470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462098#comment-17462098 ] ASF subversion and git services commented on OFBIZ-12470: - Commit 3e05cf0443449836fd6f2b0df4a5432017df4c92 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=3e05cf0 ] Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470) The configuration seems to have changed. log4j-slf4j18-impl available in Maven as 2.16.0 is not in 2.17.0. Also log4j-web is now needed. I was guided by this block in console.log of trunk demo: Caused by: java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/util/SetUtils at org.apache.logging.log4j.web.Log4jWebInitializerImpl.getConfigURI(Log4jWebInitializerImpl.java:196) at org.apache.logging.log4j.web.Log4jWebInitializerImpl.initializeNonJndi(Log4jWebInitializerImpl.java:175) at org.apache.logging.log4j.web.Log4jWebInitializerImpl.start(Log4jWebInitializerImpl.java:112) at org.apache.logging.log4j.web.Log4jServletContainerInitializer.onStartup(Log4jServletContainerInitializer.java:57) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5219) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) I'll dbl-check why, notably about log4j-slf4j18-impl. At least it works well like that. > [SECURITY] CVE-2021-45105: Apache Log4j2 > > > Key: OFBIZ-12470 > URL: https://issues.apache.org/jira/browse/OFBIZ-12470 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: 18.12.04 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > > CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not > protect from uncontrolled recursion from self-referential lookups. This > allows an attacker with control over Thread Context Map data to cause a > denial of service when a crafted string is interpreted. This issue is fixed > in Log4j 2.17.0.: https://logging.apache.org/log4j/2.x/security.html -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12470) [SECURITY] CVE-2021-45105: Apache Log4j2
[ https://issues.apache.org/jira/browse/OFBIZ-12470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462057#comment-17462057 ] ASF subversion and git services commented on OFBIZ-12470: - Commit 78ce0e3fc74e0c2b92077111b756550b692d1576 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=78ce0e3 ] Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470) CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue is fixed in Log4j 2.17.0.: https://logging.apache.org/log4j/2.x/security.html > [SECURITY] CVE-2021-45105: Apache Log4j2 > > > Key: OFBIZ-12470 > URL: https://issues.apache.org/jira/browse/OFBIZ-12470 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: 18.12.04 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > > CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not > protect from uncontrolled recursion from self-referential lookups. This > allows an attacker with control over Thread Context Map data to cause a > denial of service when a crafted string is interpreted. This issue is fixed > in Log4j 2.17.0.: https://logging.apache.org/log4j/2.x/security.html -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12470) [SECURITY] CVE-2021-45105: Apache Log4j2
[ https://issues.apache.org/jira/browse/OFBIZ-12470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17462056#comment-17462056 ] ASF subversion and git services commented on OFBIZ-12470: - Commit 4442c2adcad6f50afe232fbeddb36a3143226c66 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=4442c2a ] Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470) CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue is fixed in Log4j 2.17.0.: https://logging.apache.org/log4j/2.x/security.html > [SECURITY] CVE-2021-45105: Apache Log4j2 > > > Key: OFBIZ-12470 > URL: https://issues.apache.org/jira/browse/OFBIZ-12470 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: 18.12.04 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > > CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not > protect from uncontrolled recursion from self-referential lookups. This > allows an attacker with control over Thread Context Map data to cause a > denial of service when a crafted string is interpreted. This issue is fixed > in Log4j 2.17.0.: https://logging.apache.org/log4j/2.x/security.html -- This message was sent by Atlassian Jira (v8.20.1#820001)