You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@unomi.apache.org by "Jonathan Sinovassin (Jira)" <ji...@apache.org> on 2022/01/24 10:22:00 UTC

[jira] [Created] (UNOMI-546) Update log4j version

Jonathan Sinovassin created UNOMI-546:
-----------------------------------------

             Summary: Update log4j version
                 Key: UNOMI-546
                 URL: https://issues.apache.org/jira/browse/UNOMI-546
             Project: Apache Unomi
          Issue Type: Task
            Reporter: Jonathan Sinovassin
             Fix For: 2.0.0, 1.6.0


A vulnerability has been uncovered in the [Apache Log4j2|https://logging.apache.org/log4j/2.x/]  library, tracked under the following reference :  [CVE-2021-44228|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228]. The vulnerability has been dubbed *Log4Shell* exploit.

You can find [here|https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/] and [here|https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/] some  pretty detailed explanation of the vulnerability, its impact and level of risk.

 

The versions of Log4j impacted by the vulnerability are  from 2.0-beta9 to 2.14.1 . The Apache foundation released last Friday version 2.15 which is addressing the issue. 

 

The module unomi-persistence-elasticsearch is using the version 2.12.1, we should update it to 2.15.0



--
This message was sent by Atlassian Jira
(v8.20.1#820001)