You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@unomi.apache.org by "Jonathan Sinovassin (Jira)" <ji...@apache.org> on 2022/01/24 10:22:00 UTC
[jira] [Created] (UNOMI-546) Update log4j version
Jonathan Sinovassin created UNOMI-546:
-----------------------------------------
Summary: Update log4j version
Key: UNOMI-546
URL: https://issues.apache.org/jira/browse/UNOMI-546
Project: Apache Unomi
Issue Type: Task
Reporter: Jonathan Sinovassin
Fix For: 2.0.0, 1.6.0
A vulnerability has been uncovered in the [Apache Log4j2|https://logging.apache.org/log4j/2.x/] library, tracked under the following reference : [CVE-2021-44228|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228]. The vulnerability has been dubbed *Log4Shell* exploit.
You can find [here|https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/] and [here|https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/] some pretty detailed explanation of the vulnerability, its impact and level of risk.
The versions of Log4j impacted by the vulnerability are from 2.0-beta9 to 2.14.1 . The Apache foundation released last Friday version 2.15 which is addressing the issue.
The module unomi-persistence-elasticsearch is using the version 2.12.1, we should update it to 2.15.0
--
This message was sent by Atlassian Jira
(v8.20.1#820001)