You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@storm.apache.org by "Ethan Li (Jira)" <ji...@apache.org> on 2022/01/16 20:43:00 UTC

[jira] [Closed] (STORM-3808) Bump log4j version to 2.16.0 (original ticket was 2.15.0)

     [ https://issues.apache.org/jira/browse/STORM-3808?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ethan Li closed STORM-3808.
---------------------------

> Bump log4j version to 2.16.0 (original ticket was 2.15.0)
> ---------------------------------------------------------
>
>                 Key: STORM-3808
>                 URL: https://issues.apache.org/jira/browse/STORM-3808
>             Project: Apache Storm
>          Issue Type: Improvement
>            Reporter: Luke Sun
>            Priority: Major
>
> For CVE-2021-44228 to bump log4j 2.15.0
> {code:java}
> News
> CVE-2021-44228
> The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.15.0.
> Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host.
> One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.
> For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
> {code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)