You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ignite.apache.org by John Smith <ja...@gmail.com> on 2021/12/15 22:23:47 UTC
Apache Ignite and the log4j Vulnerability.
So far I haven't seen anyone ask about the issue here in the lists. So I'll
give it a go.
I'm personally using 2.8.1
1- If we are running as a service using .DEB or .RPM or other linux
packages: The default logging is JUL so nothing to worry about.
2- If we aren' t specifically enabling the ignite-log4j2 module by copying
it to the libs folder: Also nothing to worry about.
3- If we are not specifically enabling log4j2 in XML config or through JAVA
code: Also nothing to worry about.
4- If we are not pulling the ignite-log4j2 dependency with maven/gradle:
Also nothing to worry about.
5- On the client side (client = true). We pull ignite-slf4j + use
logback-classic + logback-core: Also nothing to worry about.
Strictly speaking from Ignite's side, if external dependencies pull log4j2
dependency so long we don't explicitly enable any Ignite log4j2 config we
are ok as well.
Re: Apache Ignite and the log4j Vulnerability.
Posted by Stephen Darlington <st...@gridgain.com>.
That’s a good summary, thanks. For people who do use log4j2 with Ignite, this is the best public summary I’ve seen so far:
https://www.gridgain.com/resources/blog/what-you-need-know-about-log4j-vulnerabilities-apache-ignite-and-gridgain
In summary, there are immediate mitigations you can apply and there should be new releases shortly that incorporate the fixed version of log4j2.
> On 15 Dec 2021, at 22:23, John Smith <ja...@gmail.com> wrote:
>
> So far I haven't seen anyone ask about the issue here in the lists. So I'll give it a go.
>
> I'm personally using 2.8.1
>
> 1- If we are running as a service using .DEB or .RPM or other linux packages: The default logging is JUL so nothing to worry about.
> 2- If we aren' t specifically enabling the ignite-log4j2 module by copying it to the libs folder: Also nothing to worry about.
> 3- If we are not specifically enabling log4j2 in XML config or through JAVA code: Also nothing to worry about.
> 4- If we are not pulling the ignite-log4j2 dependency with maven/gradle: Also nothing to worry about.
> 5- On the client side (client = true). We pull ignite-slf4j + use logback-classic + logback-core: Also nothing to worry about.
>
> Strictly speaking from Ignite's side, if external dependencies pull log4j2 dependency so long we don't explicitly enable any Ignite log4j2 config we are ok as well.