You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by Abdul Patel <ab...@gmail.com> on 2021/12/11 17:07:10 UTC
Log4j vulnerability
Hi all,
Any idea if any of open source Cassandra versions are impacted with log4j
vulnerability which was reported on dec 9th
Re: Log4j vulnerability
Posted by Anthony Grasso <an...@gmail.com>.
Hi Arvinder,
You are correct; tlp-stress includes Log4j as one of its libraries and
users will need to update the JAR file.
On 16th December 2021, tlp-stress was updated [1] to include Log4j 2.16.0
which fixed CVE-2021-45046. Version 5.0.0 was released which included this
change.
Unfortunately, further security issues were identified in Log4j v2.16.0. On
10th January 2022, tlp-stress was updated again
<https://github.com/thelastpickle/tlp-stress/commit/2d4542c27d3f1c0e24899c01247b9a8ee3c9a238>
[2] to include Log4j 2.17.1 which fixed CVE-2021-45105 and CVE-2021-44832
[2]. A new version of tlp-stress will be released soon which will include
these updates.
For now please build and use the latest version of the master branch to get
the latest patch.
Kind regards,
Anthony
[1]
https://github.com/thelastpickle/tlp-stress/commit/298135e2bfc6d4d23f04154f098c3592dd3b32f0
[2]
https://github.com/thelastpickle/tlp-stress/commit/2d4542c27d3f1c0e24899c01247b9a8ee3c9a238
On Tue, 11 Jan 2022 at 16:56, Arvinder Dhillon <dh...@gmail.com>
wrote:
> If anyone uses tlp-stress tool, it uses Log4j. It might not be in use most
> of the time, you might want to remove/upgrade the jar.
>
> On Mon, Dec 13, 2021 at 3:58 PM Bowen Song <bo...@bso.ng> wrote:
>
>> Do you mean the log4j-over-slf4j-#.jar? If so, please read:
>> http://slf4j.org/log4shell.html
>>
>> On 13/12/2021 23:48, Rahul Reddy wrote:
>>
>> Hello,
>>
>>
>> I see this jar log4j-over-slf4j-1.7.7.jar does it have any impact on
>> it? Why that jar is used for ?
>>
>>
>>
>> On Sat, Dec 11, 2021 at 12:45 PM Brandon Williams <dr...@gmail.com>
>> wrote:
>>
>>> https://issues.apache.org/jira/browse/CASSANDRA-5883
>>>
>>> As that ticket shows, Apache Cassandra has never used log4j2.
>>>
>>> On Sat, Dec 11, 2021 at 11:07 AM Abdul Patel <ab...@gmail.com>
>>> wrote:
>>> >
>>> > Hi all,
>>> >
>>> > Any idea if any of open source Cassandra versions are impacted with
>>> log4j vulnerability which was reported on dec 9th
>>>
>>
Re: Log4j vulnerability
Posted by Arvinder Dhillon <dh...@gmail.com>.
If anyone uses tlp-stress tool, it uses Log4j. It might not be in use most
of the time, you might want to remove/upgrade the jar.
On Mon, Dec 13, 2021 at 3:58 PM Bowen Song <bo...@bso.ng> wrote:
> Do you mean the log4j-over-slf4j-#.jar? If so, please read:
> http://slf4j.org/log4shell.html
>
> On 13/12/2021 23:48, Rahul Reddy wrote:
>
> Hello,
>
>
> I see this jar log4j-over-slf4j-1.7.7.jar does it have any impact on it?
> Why that jar is used for ?
>
>
>
> On Sat, Dec 11, 2021 at 12:45 PM Brandon Williams <dr...@gmail.com>
> wrote:
>
>> https://issues.apache.org/jira/browse/CASSANDRA-5883
>>
>> As that ticket shows, Apache Cassandra has never used log4j2.
>>
>> On Sat, Dec 11, 2021 at 11:07 AM Abdul Patel <ab...@gmail.com> wrote:
>> >
>> > Hi all,
>> >
>> > Any idea if any of open source Cassandra versions are impacted with
>> log4j vulnerability which was reported on dec 9th
>>
>
Re: Log4j vulnerability
Posted by Bowen Song <bo...@bso.ng>.
Do you mean the log4j-over-slf4j-#.jar? If so, please read:
http://slf4j.org/log4shell.html
On 13/12/2021 23:48, Rahul Reddy wrote:
> Hello,
>
>
> I see this jar log4j-over-slf4j-1.7.7.jar does it have any impact on
> it? Why that jar is used for ?
>
>
>
> On Sat, Dec 11, 2021 at 12:45 PM Brandon Williams <dr...@gmail.com>
> wrote:
>
> https://issues.apache.org/jira/browse/CASSANDRA-5883
>
> As that ticket shows, Apache Cassandra has never used log4j2.
>
> On Sat, Dec 11, 2021 at 11:07 AM Abdul Patel <ab...@gmail.com>
> wrote:
> >
> > Hi all,
> >
> > Any idea if any of open source Cassandra versions are impacted
> with log4j vulnerability which was reported on dec 9th
>
Re: Log4j vulnerability
Posted by Rahul Reddy <ra...@gmail.com>.
Hello,
I see this jar log4j-over-slf4j-1.7.7.jar does it have any impact on it?
Why that jar is used for ?
On Sat, Dec 11, 2021 at 12:45 PM Brandon Williams <dr...@gmail.com> wrote:
> https://issues.apache.org/jira/browse/CASSANDRA-5883
>
> As that ticket shows, Apache Cassandra has never used log4j2.
>
> On Sat, Dec 11, 2021 at 11:07 AM Abdul Patel <ab...@gmail.com> wrote:
> >
> > Hi all,
> >
> > Any idea if any of open source Cassandra versions are impacted with
> log4j vulnerability which was reported on dec 9th
>
Re: Log4j vulnerability
Posted by Stefan Miklosovic <st...@instaclustr.com>.
Hi users,
I just add to it that there was recently added a dependency check ant
target (by myself) to scan the deps on CVE's. People can execute that
themselves by "ant dependency-check" and it will scan the database of
vulnerabilities automatically against Cassandra libraries we ship.
Regards
On Sat, 11 Dec 2021 at 18:44, Brandon Williams <dr...@gmail.com> wrote:
>
> https://issues.apache.org/jira/browse/CASSANDRA-5883
>
> As that ticket shows, Apache Cassandra has never used log4j2.
>
> On Sat, Dec 11, 2021 at 11:07 AM Abdul Patel <ab...@gmail.com> wrote:
> >
> > Hi all,
> >
> > Any idea if any of open source Cassandra versions are impacted with log4j vulnerability which was reported on dec 9th
Re: Log4j vulnerability
Posted by Brandon Williams <dr...@gmail.com>.
https://issues.apache.org/jira/browse/CASSANDRA-5883
As that ticket shows, Apache Cassandra has never used log4j2.
On Sat, Dec 11, 2021 at 11:07 AM Abdul Patel <ab...@gmail.com> wrote:
>
> Hi all,
>
> Any idea if any of open source Cassandra versions are impacted with log4j vulnerability which was reported on dec 9th
Re: Log4j vulnerability
Posted by James Brown <jb...@easypost.com>.
As far as I can tell, cassandra uses logback, not log4j2, so it shouldn't
be affected. The logback website <http://logback.qos.ch/>, in fact, now has
some quite snarky language differentiating it from log4j2.
On Sat, Dec 11, 2021 at 9:07 AM Abdul Patel <ab...@gmail.com> wrote:
> Hi all,
>
> Any idea if any of open source Cassandra versions are impacted with log4j
> vulnerability which was reported on dec 9th
>
--
James Brown
Engineer