Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to log4j 2.17.0 #1771

Merged
merged 1 commit into from
Dec 18, 2021
Merged

Update to log4j 2.17.0 #1771

merged 1 commit into from
Dec 18, 2021

Conversation

reta
Copy link
Collaborator

@reta reta commented Dec 18, 2021
edited by dblock
Loading

Signed-off-by: Andriy Redko [email protected]

Description

Update to log4j 2.17.0. It seems like it could be dragging for a while:

  • Address CVE-2021-45105.
  • Require components that use JNDI to be enabled individually via system properties.
  • Remove LDAP and LDAPS as supported protocols from JNDI.

Issues Resolved

Address CVE-2021-45105.

Closes #1772.

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@reta
Update to log4j 2.17.0
3a45e2d 
Signed-off-by: Andriy Redko <[email protected]>
@reta reta requested a review from a team as a code owner December 18, 2021 17:03
@opensearch-ci-bot
Copy link
Collaborator

Can one of the admins verify this patch?

@reta
Copy link
Collaborator Author

reta commented Dec 18, 2021

Sorry @dblock :( it seems like log4j just got all the attention these days ...

@dblock
Copy link
Member

dblock commented Dec 18, 2021

You rock, thanks for beating me to this one.

@dblock dblock added backport 1.x pending backport Identifies an issue or PR that still needs to be backported labels Dec 18, 2021
@saratvemulapalli
Copy link
Member

Thanks @reta for this.
Could backport this to 1.x, 1.2?

@saratvemulapalli saratvemulapalli merged commit ca27c8f into opensearch-project:main Dec 18, 2021
@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Check success 3a45e2d
Log 1590

Reports 1590

reta added a commit to reta/OpenSearch that referenced this pull request Dec 18, 2021
@reta
Update to log4j 2.17.0 (opensearch-project#1771)
6c37285 
Signed-off-by: Andriy Redko <[email protected]>
@reta reta mentioned this pull request Dec 18, 2021
Merged
5 tasks
reta added a commit to reta/OpenSearch that referenced this pull request Dec 18, 2021
@reta
Update to log4j 2.17.0 (opensearch-project#1771)
7bf7275 
Signed-off-by: Andriy Redko <[email protected]>
@reta reta mentioned this pull request Dec 18, 2021
Merged
5 tasks
saratvemulapalli pushed a commit that referenced this pull request Dec 18, 2021
@reta
Update to log4j 2.17.0 (#1771) (#1773)
00aaa35
saratvemulapalli pushed a commit that referenced this pull request Dec 18, 2021
@reta
Update to log4j 2.17.0 (#1771) (#1774)
8a529d7
@dblock dblock mentioned this pull request Apr 14, 2022
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saratvemulapalli saratvemulapalli saratvemulapalli approved these changes

@dblock dblock dblock approved these changes

@peternied peternied Awaiting requested review from peternied

Assignees
No one assigned
Labels
backport 1.x backport 1.2 pending backport Identifies an issue or PR that still needs to be backported v1.2.3
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Upgrade to Log4j 2.17 (CVE-2021-45105)
4 participants
@reta @opensearch-ci-bot @dblock @saratvemulapalli