You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ignite.apache.org by Sergei Ryzhov <s....@gmail.com> on 2022/03/01 17:40:22 UTC

Re: [DISCUSSION] Exclude ignite-log4j, log4j 1.2.17

Anton, Nikolay thanks.

With this ticket[1] I change the default logger to ignite-log4j2
And I will mark log4j as deprecated.

before the review, I will check on the TC-bot and check on the Ducktests.

[1] https://issues.apache.org/jira/browse/IGNITE-16626

пн, 28 февр. 2022 г. в 19:10, Anton Vinogradov <av...@apache.org>:

> > But, seems, we can’t do it right now, because of existing deployments.
> Correct
>
> > Let’s mark this module as deprecated and remove it in 2.14?
> Possible way
>
> Also, we must check this will not cause problems at tests (eg. Ducktests)
>
> On Mon, Feb 28, 2022 at 6:48 PM Nikolay Izhikov <ni...@apache.org>
> wrote:
>
> > Hello, Anton.
> >
> > +1 to remove outdated logging library.
> >
> > But, seems, we can’t do it right now, because of existing deployments.
> > Let’s mark this module as deprecated and remove it in 2.14?
> >
> >
> > > Not every deployment require to be secured.
> >
> > Disagree.
> > We should update or workaround known security issues ASAP.
> >
> >
> > > Not every deployment requires to use of log4j.
> >
> >
> >
> > Agree, but we shouldn’t provide or support modules with known security
> > issues.
> >
> >
> > > 28 февр. 2022 г., в 18:41, Anton Vinogradov <av...@apache.org>
> написал(а):
> > >
> > > Your deployment has vulnerabilities only in case you configured log4j
> as
> > a
> > > logger.
> > > Not every deployment require to be secured.
> > > Not every deployment requires to use of log4j.
> > >
> > > We must change the default logging library if the current is log4j and
> > > provide the ability to use log4j as before (where it is required) but
> > with
> > > a warning, I think.
> > >
> > > On Mon, Feb 28, 2022 at 3:55 PM Sergei Ryzhov <s....@gmail.com>
> > wrote:
> > >
> > >> Hello, Igniters.
> > >>
> > >> log4j 1.2.17 is not supported and contains critical vulnerabilities
> > >> I suggest excluding log4j 1.2.17 and module ignite-log4j from
> ignite[1].
> > >>
> > >> Direct vulnerabilities:
> > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
> > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
> > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
> > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
> > >>
> > >> WDYT?
> > >>
> > >> [1] https://issues.apache.org/jira/browse/IGNITE-16626
> > >>
> > >> --
> > >> Best regards,
> > >> Sergei Ryzhov
> > >>
> >
> >
>


-- 
Best regards,
Sergei Ryzhov

Re: [DISCUSSION] Exclude ignite-log4j, log4j 1.2.17

Posted by Nikita Amelchev <na...@apache.org>.

+1 to deprecate the 'ignite-log4j' module and remove it in the next releases.

вт, 1 мар. 2022 г. в 20:40, Sergei Ryzhov <s....@gmail.com>:
>
> Anton, Nikolay thanks.
>
> With this ticket[1] I change the default logger to ignite-log4j2
> And I will mark log4j as deprecated.
>
> before the review, I will check on the TC-bot and check on the Ducktests.
>
> [1] https://issues.apache.org/jira/browse/IGNITE-16626
>
> пн, 28 февр. 2022 г. в 19:10, Anton Vinogradov <av...@apache.org>:
>
> > > But, seems, we can’t do it right now, because of existing deployments.
> > Correct
> >
> > > Let’s mark this module as deprecated and remove it in 2.14?
> > Possible way
> >
> > Also, we must check this will not cause problems at tests (eg. Ducktests)
> >
> > On Mon, Feb 28, 2022 at 6:48 PM Nikolay Izhikov <ni...@apache.org>
> > wrote:
> >
> > > Hello, Anton.
> > >
> > > +1 to remove outdated logging library.
> > >
> > > But, seems, we can’t do it right now, because of existing deployments.
> > > Let’s mark this module as deprecated and remove it in 2.14?
> > >
> > >
> > > > Not every deployment require to be secured.
> > >
> > > Disagree.
> > > We should update or workaround known security issues ASAP.
> > >
> > >
> > > > Not every deployment requires to use of log4j.
> > >
> > >
> > >
> > > Agree, but we shouldn’t provide or support modules with known security
> > > issues.
> > >
> > >
> > > > 28 февр. 2022 г., в 18:41, Anton Vinogradov <av...@apache.org>
> > написал(а):
> > > >
> > > > Your deployment has vulnerabilities only in case you configured log4j
> > as
> > > a
> > > > logger.
> > > > Not every deployment require to be secured.
> > > > Not every deployment requires to use of log4j.
> > > >
> > > > We must change the default logging library if the current is log4j and
> > > > provide the ability to use log4j as before (where it is required) but
> > > with
> > > > a warning, I think.
> > > >
> > > > On Mon, Feb 28, 2022 at 3:55 PM Sergei Ryzhov <s....@gmail.com>
> > > wrote:
> > > >
> > > >> Hello, Igniters.
> > > >>
> > > >> log4j 1.2.17 is not supported and contains critical vulnerabilities
> > > >> I suggest excluding log4j 1.2.17 and module ignite-log4j from
> > ignite[1].
> > > >>
> > > >> Direct vulnerabilities:
> > > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
> > > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
> > > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
> > > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
> > > >>
> > > >> WDYT?
> > > >>
> > > >> [1] https://issues.apache.org/jira/browse/IGNITE-16626
> > > >>
> > > >> --
> > > >> Best regards,
> > > >> Sergei Ryzhov
> > > >>
> > >
> > >
> >
>
>
> --
> Best regards,
> Sergei Ryzhov



-- 
Best wishes,
Amelchev Nikita