Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update log4j to 2.15.0 to address security vulnerabilities #12051

Merged
merged 1 commit into from
Dec 10, 2021
Merged

update log4j to 2.15.0 to address security vulnerabilities #12051

merged 1 commit into from
Dec 10, 2021

Conversation

xvrl
Copy link
Member

@xvrl xvrl commented Dec 10, 2021

fixes #12050

@xvrl xvrl merged commit 1931601 into apache:master Dec 10, 2021
@xvrl xvrl deleted the update-log4j2 branch December 10, 2021 06:34
@FrankChen021
Copy link
Member

@xvrl You're so quick. Why can't I find the 2.15.0 artifact on the mvnrepository.com?

gianm pushed a commit that referenced this pull request Dec 10, 2021
@xvrl @gianm
update log4j to 2.15.0 to address security vulnerabilities (#12051)
17f9233
@clintropolis
Copy link
Member

it probably hasn't propagated to all of the mirrors yet, I see it here https://search.maven.org/search?q=g:org.apache.logging.log4j

@suneet-s suneet-s mentioned this pull request Dec 10, 2021
Merged
@a2l007
Copy link
Contributor

a2l007 commented Dec 10, 2021

Not sure if we know at this point if 2.15.0 will completely resolve this issue, but operators must be setting -Dlog4j2.formatMsgNoLookups=true in their jvm args meanwhile.

@suneet-s
Copy link
Contributor

log4j's official announcement is here https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4

Based on this, operators could add %m{nolookups} to the PatternLayout in log4j2.xml since we use log4j version 2.8.2 -Dlog4j2.formatMsgNoLookups=true will not work

@a2l007
Copy link
Contributor

a2l007 commented Dec 10, 2021

Thanks for clarifying @suneet-s

@jihoonson jihoonson added this to the 0.22.1 milestone Dec 10, 2021
@jihoonson jihoonson mentioned this pull request Dec 10, 2021
Closed
@clintropolis clintropolis mentioned this pull request Dec 11, 2021
Merged
@dongjoon-hyun
Copy link
Member

Thank you all!

nikhil-ddu pushed a commit to twitter-forks/druid that referenced this pull request Dec 13, 2021
@xvrl
update log4j to 2.15.0 to address security vulnerabilities (apache#12051
edcf4ef 
)
nikhil-ddu pushed a commit to twitter-forks/druid that referenced this pull request Dec 13, 2021
@xvrl
update log4j to 2.15.0 to address security vulnerabilities (apache#12051
00da3a9 
)
@GElkayam
Copy link

GElkayam commented Dec 15, 2021
edited
Loading

@xvrl , @clintropolis , Is this going to get updated to 2.16 to mitigate CVE-2021-45046?
Nevermind, addressed in #12061

@FrankChen021
Copy link
Member

@GElkayam I checked the description of that CVE. If I understand correctly, this vulnerability exists when thread context map pattern layout is applied.

Since Druid's default log4j2 configuration does not use such pattern layout, I think it's not affected by this problem.

This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.

@juhoautio-rovio juhoautio-rovio mentioned this pull request Dec 17, 2021
Merged
debasatwa29 pushed a commit to debasatwa29/druid that referenced this pull request Jun 2, 2022
Pull upstream to upgrade log4j to 2.15.0 to address security vulnerab…
5bea06b 
…ilities

Summary:
Druid is running with JVM 1.8.0_232 but log4j 2.5 so it's P1 rather than p0.

Pull upstream to upgrade log4j to 2.15.0 to address security vulnerabilities

Changes are from the following upstream PRs:

# Upgrade log4j from 2.8.2 to 2.15.0
apache#12051
apache#12056

# Upgrade log4j from 2.5 to 2.8.2
apache#8878

Reviewers: O1139 Druid, jgu, itallam

Reviewed By: O1139 Druid, jgu, itallam

Subscribers: jenkins, shawncao, #realtime-analytics

Differential Revision: https://phabricator.pinadmin.com/D823708
anishanagarajan pushed a commit to twitter-forks/druid that referenced this pull request Sep 23, 2022
@xvrl
update log4j to 2.15.0 to address security vulnerabilities (apache#12051
b1de0a0 
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clintropolis clintropolis clintropolis approved these changes

@FrankChen021 FrankChen021 Awaiting requested review from FrankChen021

@asdf2014 asdf2014 Awaiting requested review from asdf2014

@ccaominh ccaominh Awaiting requested review from ccaominh

Assignees
No one assigned
Labels
Area - Dependencies Security
Projects
None yet
Milestone
0.22.1
Development

Successfully merging this pull request may close these issues.

Recommended to upgrade log4j to 2.15.0
9 participants
@xvrl @FrankChen021 @clintropolis @a2l007 @suneet-s @dongjoon-hyun @GElkayam @jihoonson @asdf2014