Skip to content

[1.5.x] log4j 2.16.0 #6749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 14, 2021
Merged

[1.5.x] log4j 2.16.0 #6749

merged 1 commit into from
Dec 14, 2021

Conversation

augi
Copy link
Contributor

@augi augi commented Dec 14, 2021

The 2.15.0 version is still vulnerable.

@lightbend-cla-validator
Copy link

Hi @augi,

Thank you for your contribution! We really value the time you've taken to put this together.

Before we proceed with reviewing this pull request, please sign the Lightbend Contributors License Agreement:

https://www.lightbend.com/contribute/cla

@jtjeferreira
Copy link
Contributor

The 2.15.0 version is still vulnerable.

Are you sure? I dont see anything in https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0 that suggests that...

@eed3si9n
Copy link
Member

@augi Thanks for the contribution.

The 2.15.0 version is still vulnerable.

Could you clarify this statement please? https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4 says that it's more hardened but it doesn't say that 2.15.0 is "vulnerable" in the same way the 2.x releases prior to 2.15.0 was.

@augi
Copy link
Contributor Author

augi commented Dec 14, 2021

Hello, quoting from this ticket:

Dealing with CVE-2021-44228 has shown the JNDI has significant security issues. While we have mitigated what we are aware of it would be safer for users to completely disable it by default, especially since the large majority are unlikely to be using it.

So they decided to remove default JDNI support by default as it has significant security issue.

@eed3si9n
Copy link
Member

Thanks. Looks like https://logging.apache.org/log4j/2.x/security.html says

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.

@eed3si9n eed3si9n merged commit 4fb8e98 into sbt:1.5.x Dec 14, 2021
@dehypnosis
Copy link

Waiting the new release... finishing this endless log4j curse.

@eed3si9n eed3si9n changed the title chore(deps): log4j 2.16.0 [1.5.x] log4j 2.16.0 Dec 15, 2021
@mahesh2492
Copy link

Has this been deployed? I have been using version 1.5.6 but still, it is fetching the 2.15.0 log4j version.

@augi
Copy link
Contributor Author

augi commented Dec 15, 2021

The update to 2.16.0 is released in 1.5.7.

@mahesh2492
Copy link

The update to 2.16.0 is released in 1.5.7.

Okay and Thanks

@augi augi deleted the patch-1 branch December 20, 2021 07:14
KisaragiEffective referenced this pull request in GiganticMinecraft/SeichiAssist Dec 21, 2021
@KisaragiEffective
[chore(deps)] bump sbt 1.5.6 to 1.5.7
dae89cd 
sbt/sbt#6755
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eed3si9n eed3si9n eed3si9n approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@augi @lightbend-cla-validator @jtjeferreira @eed3si9n @dehypnosis @mahesh2492