You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Brandon Williams (Jira)" <ji...@apache.org> on 2022/01/12 21:36:00 UTC

[jira] [Updated] (CASSANDRA-17204) Upgrade to Logback 1.2.9 (security)

     [ https://issues.apache.org/jira/browse/CASSANDRA-17204?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brandon Williams updated CASSANDRA-17204:
-----------------------------------------
    Summary: Upgrade to Logback 1.2.9 (security)  (was: Upgrade to Logback 1.2.8 (security))

> Upgrade to Logback 1.2.9 (security)
> -----------------------------------
>
>                 Key: CASSANDRA-17204
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17204
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Dependencies
>            Reporter: Jochen Schalanda
>            Assignee: Brandon Williams
>            Priority: Normal
>             Fix For: 3.0.x, 3.11.x, 4.0.x, 4.x
>
>
> Logback 1.2.8 has been released with a fix for a potential vulnerability in its JNDI lookup.
>  * [http://logback.qos.ch/news.html]
>  * [https://jira.qos.ch/browse/LOGBACK-1591]
> {quote}*14th of December, 2021, Release of version 1.2.8*
> We note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback's configuration file as a prerequisite.
> * • In response to LOGBACK-1591, we have disabled all JNDI lookup code in logback until further notice. This impacts {{ContextJNDISelector}} and {{<insertFromJNDI>}} element in configuration files.
> * Also in response to LOGBACK-1591, we have removed all database (JDBC) related code in the project with no replacement.
> We note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback's configuration file as a prerequisite. A successful RCE requires all of the following to be true:
> * write access to logback.xml
> * use of versions < 1.2.8
> * reloading of poisoned configuration data, which implies application restart or scan="true" set prior to attack
> Therefore and as an additional precaution, in addition to upgrading to version 1.2.8, we also recommend users to set their logback configuration files as read-only.
> {quote}
> This is not as bad as CVE-2021-44228 in Log4j <2.15.0 (Log4Shell), but should probably be fixed anyway.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org