[
https://issues.apache.org/jira/browse/STORM-3808?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ethan Li resolved STORM-3808.
-----------------------------
Resolution: Duplicate
> Bump log4j version to 2.16.0 (original ticket was 2.15.0)
> ---------------------------------------------------------
>
> Key: STORM-3808
> URL: https://issues.apache.org/jira/browse/STORM-3808
> Project: Apache Storm
> Issue Type: Improvement
> Reporter: Luke Sun
> Priority: Major
>
> For CVE-2021-44228 to bump log4j 2.15.0
> {code:java}
> News
> CVE-2021-44228
> The Log4j team has been made aware of a security vulnerability,
> CVE-2021-44228, that has been addressed in Log4j 2.15.0.
> Log4j’s JNDI support has not restricted what names could be resolved. Some
> protocols are unsafe or can allow remote code execution. Log4j now limits the
> protocols by default to only java, ldap, and ldaps and limits the ldap
> protocols to only accessing Java primitive objects by default served on the
> local host.
> One vector that allowed exposure to this vulnerability was Log4j’s allowance
> of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now
> disabled by default. While an option has been provided to enable Lookups in
> this fashion, users are strongly discouraged from enabling it.
> For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior can
> be mitigated by setting either the system property log4j2.formatMsgNoLookups
> or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases
> >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the
> message converter as %m{nolookups} instead of just %m. For releases
> >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class
> from the classpath: zip -q -d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class.
> {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
