You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ignite.apache.org by Andrew Story <an...@fico.com> on 2020/09/18 22:47:32 UTC
critical security vulnerability for
/opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar
Would it be possible in the next release of Ignite to upgrade the 3rd party
component
/opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar to
log4j-core-2.13.3.jar?
This component log4j-1.2.17.jar is flagged as having a critical security
vulnerability which is described here:
https://nvd.nist.gov/vuln/detail/CVE-2019-17571
The latest version of this component appears to be 2.13.3 which should
resolve the vulnerability:
https://logging.apache.org/log4j/2.x/download.html.
Thanks,
Andrew Story
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Re: critical security vulnerability for
/opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar
Posted by Stephen Darlington <st...@gridgain.com>.
https://issues.apache.org/jira/browse/IGNITE-13464
> On 21 Sep 2020, at 11:02, Ilya Kasnacheev <il...@gmail.com> wrote:
>
> Hello!
>
> Good catch! I think you should file a critical level ticket about it.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> пн, 21 сент. 2020 г. в 12:56, Stephen Darlington <stephen.darlington@gridgain.com <ma...@gridgain.com>>:
> Actually, this is an interesting one: it’s not the top level ignite-log4j module, but a dependency of ignite-rest-http. Why does the REST API have log4j (and slf4j) dependencies at all?
>
>> On 21 Sep 2020, at 10:19, Ilya Kasnacheev <ilya.kasnacheev@gmail.com <ma...@gmail.com>> wrote:
>>
>> Hello!
>>
>> Log4J 1.x does not have any non-vulnerable releases, and Log4J2 is not binary compatible.
>>
>> You can sidestep this by not including ignite-log4j module and instead resorting to ignite-log4j2.
>>
>> Regards,
>> --
>> Ilya Kasnacheev
>>
>>
>> сб, 19 сент. 2020 г. в 01:47, Andrew Story <andrewstory@fico.com <ma...@fico.com>>:
>> Would it be possible in the next release of Ignite to upgrade the 3rd party
>> component
>> /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar to
>> log4j-core-2.13.3.jar?
>>
>> This component log4j-1.2.17.jar is flagged as having a critical security
>> vulnerability which is described here:
>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571 <https://nvd.nist.gov/vuln/detail/CVE-2019-17571>
>>
>> The latest version of this component appears to be 2.13.3 which should
>> resolve the vulnerability:
>> https://logging.apache.org/log4j/2.x/download.html <https://logging.apache.org/log4j/2.x/download.html>.
>>
>> Thanks,
>>
>> Andrew Story
>>
>>
>>
>>
>> --
>> Sent from: http://apache-ignite-users.70518.x6.nabble.com/ <http://apache-ignite-users.70518.x6.nabble.com/>
>
>
Re: critical security vulnerability for
/opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar
Posted by Stephen Darlington <st...@gridgain.com>.
https://issues.apache.org/jira/browse/IGNITE-13464
> On 21 Sep 2020, at 11:02, Ilya Kasnacheev <il...@gmail.com> wrote:
>
> Hello!
>
> Good catch! I think you should file a critical level ticket about it.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> пн, 21 сент. 2020 г. в 12:56, Stephen Darlington <stephen.darlington@gridgain.com <ma...@gridgain.com>>:
> Actually, this is an interesting one: it’s not the top level ignite-log4j module, but a dependency of ignite-rest-http. Why does the REST API have log4j (and slf4j) dependencies at all?
>
>> On 21 Sep 2020, at 10:19, Ilya Kasnacheev <ilya.kasnacheev@gmail.com <ma...@gmail.com>> wrote:
>>
>> Hello!
>>
>> Log4J 1.x does not have any non-vulnerable releases, and Log4J2 is not binary compatible.
>>
>> You can sidestep this by not including ignite-log4j module and instead resorting to ignite-log4j2.
>>
>> Regards,
>> --
>> Ilya Kasnacheev
>>
>>
>> сб, 19 сент. 2020 г. в 01:47, Andrew Story <andrewstory@fico.com <ma...@fico.com>>:
>> Would it be possible in the next release of Ignite to upgrade the 3rd party
>> component
>> /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar to
>> log4j-core-2.13.3.jar?
>>
>> This component log4j-1.2.17.jar is flagged as having a critical security
>> vulnerability which is described here:
>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571 <https://nvd.nist.gov/vuln/detail/CVE-2019-17571>
>>
>> The latest version of this component appears to be 2.13.3 which should
>> resolve the vulnerability:
>> https://logging.apache.org/log4j/2.x/download.html <https://logging.apache.org/log4j/2.x/download.html>.
>>
>> Thanks,
>>
>> Andrew Story
>>
>>
>>
>>
>> --
>> Sent from: http://apache-ignite-users.70518.x6.nabble.com/ <http://apache-ignite-users.70518.x6.nabble.com/>
>
>
Re: critical security vulnerability for /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar
Posted by Ilya Kasnacheev <il...@gmail.com>.
Hello!
Good catch! I think you should file a critical level ticket about it.
Regards,
--
Ilya Kasnacheev
пн, 21 сент. 2020 г. в 12:56, Stephen Darlington <
stephen.darlington@gridgain.com>:
> Actually, this is an interesting one: it’s not the top level ignite-log4j
> module, but a dependency of ignite-rest-http. Why does the REST API have
> log4j (and slf4j) dependencies at all?
>
> On 21 Sep 2020, at 10:19, Ilya Kasnacheev <il...@gmail.com>
> wrote:
>
> Hello!
>
> Log4J 1.x does not have any non-vulnerable releases, and Log4J2 is not
> binary compatible.
>
> You can sidestep this by not including ignite-log4j module and instead
> resorting to ignite-log4j2.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> сб, 19 сент. 2020 г. в 01:47, Andrew Story <an...@fico.com>:
>
>> Would it be possible in the next release of Ignite to upgrade the 3rd
>> party
>> component
>> /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar
>> to
>> log4j-core-2.13.3.jar?
>>
>> This component log4j-1.2.17.jar is flagged as having a critical security
>> vulnerability which is described here:
>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>>
>> The latest version of this component appears to be 2.13.3 which should
>> resolve the vulnerability:
>> https://logging.apache.org/log4j/2.x/download.html.
>>
>> Thanks,
>>
>> Andrew Story
>>
>>
>>
>>
>> --
>> Sent from: http://apache-ignite-users.70518.x6.nabble.com/
>>
>
>
>
Re: critical security vulnerability for
/opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar
Posted by Stephen Darlington <st...@gridgain.com>.
Actually, this is an interesting one: it’s not the top level ignite-log4j module, but a dependency of ignite-rest-http. Why does the REST API have log4j (and slf4j) dependencies at all?
> On 21 Sep 2020, at 10:19, Ilya Kasnacheev <il...@gmail.com> wrote:
>
> Hello!
>
> Log4J 1.x does not have any non-vulnerable releases, and Log4J2 is not binary compatible.
>
> You can sidestep this by not including ignite-log4j module and instead resorting to ignite-log4j2.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> сб, 19 сент. 2020 г. в 01:47, Andrew Story <andrewstory@fico.com <ma...@fico.com>>:
> Would it be possible in the next release of Ignite to upgrade the 3rd party
> component
> /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar to
> log4j-core-2.13.3.jar?
>
> This component log4j-1.2.17.jar is flagged as having a critical security
> vulnerability which is described here:
> https://nvd.nist.gov/vuln/detail/CVE-2019-17571 <https://nvd.nist.gov/vuln/detail/CVE-2019-17571>
>
> The latest version of this component appears to be 2.13.3 which should
> resolve the vulnerability:
> https://logging.apache.org/log4j/2.x/download.html <https://logging.apache.org/log4j/2.x/download.html>.
>
> Thanks,
>
> Andrew Story
>
>
>
>
> --
> Sent from: http://apache-ignite-users.70518.x6.nabble.com/ <http://apache-ignite-users.70518.x6.nabble.com/>
Re: critical security vulnerability for /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar
Posted by Ilya Kasnacheev <il...@gmail.com>.
Hello!
Log4J 1.x does not have any non-vulnerable releases, and Log4J2 is not
binary compatible.
You can sidestep this by not including ignite-log4j module and instead
resorting to ignite-log4j2.
Regards,
--
Ilya Kasnacheev
сб, 19 сент. 2020 г. в 01:47, Andrew Story <an...@fico.com>:
> Would it be possible in the next release of Ignite to upgrade the 3rd party
> component
> /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar
> to
> log4j-core-2.13.3.jar?
>
> This component log4j-1.2.17.jar is flagged as having a critical security
> vulnerability which is described here:
> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>
> The latest version of this component appears to be 2.13.3 which should
> resolve the vulnerability:
> https://logging.apache.org/log4j/2.x/download.html.
>
> Thanks,
>
> Andrew Story
>
>
>
>
> --
> Sent from: http://apache-ignite-users.70518.x6.nabble.com/
>