You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@drill.apache.org by GitBox <gi...@apache.org> on 2021/12/10 13:14:45 UTC

[GitHub] [drill] kingswanwho opened a new pull request #2403: Drill: upgrade log4j to 2.15.0 for permanent vulnerability mitigation

kingswanwho opened a new pull request #2403:
URL: https://github.com/apache/drill/pull/2403


   # [permanent vulnerability mitigation]: upgrade log4j to 2.15.0 for permanent vulnerability mitigation
   
   ## Description
   
   Log4j of Drill version 2.14.1 has a server vulnerability, upgrade version to 2.15.0 for permanent mitigation.
   
   ## Documentation
   
   Please refer to https://www.lunasec.io/docs/blog/log4j-zero-day/
   
   ## Testing
   N/A
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] dzamo commented on pull request #2403: DRILL-8074: Upgrade log4j because of CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

dzamo commented on pull request #2403:
URL: https://github.com/apache/drill/pull/2403#issuecomment-991477294


   Thanks everybody.  Since this PR is ready to go and very simple I''m going to merge it now so we can settle back down out of critical vulnerability patching mode.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] kingswanwho commented on pull request #2403: DRILL-8074: Upgrade log4j because of CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

kingswanwho commented on pull request #2403:
URL: https://github.com/apache/drill/pull/2403#issuecomment-991045213


   > Thank you @kingswanwho! Is it only the format-excel plugin that uses a vulnerable version of log4j?
   
   Hi @dzamo , thank you so much for your reminder, it does have another vulnerable version of log4j, which referred by poi.
   I upgraded it either, please refer my updated test.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] dzamo merged pull request #2403: DRILL-8074: Upgrade log4j because of CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

dzamo merged pull request #2403:
URL: https://github.com/apache/drill/pull/2403


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] kingswanwho commented on pull request #2403: DRILL-8074: Upgrade log4j because of CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

kingswanwho commented on pull request #2403:
URL: https://github.com/apache/drill/pull/2403#issuecomment-991361992


   
   
   
   > Thanks for updating the log4j version. No drill release contains the log4j dependency - it was only added to drill-format-excel recently. I'm not sure if there is any logging in POI that logs data from xlsx files that it processes. Drill is mainly using excel-streaming-reader which does not itself use log4j logging but excel-streaming-reader does use some POI code.
   
   Thank you for the explanation.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] dzamo commented on pull request #2403: DRILL-8074: Upgrade log4j because of CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

dzamo commented on pull request #2403:
URL: https://github.com/apache/drill/pull/2403#issuecomment-990969583


   Thank you @kingswanwho!  Is it only the format-excel plugin that uses a vulnerable version of log4j?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] pjfanning commented on pull request #2403: DRILL-8074: Upgrade log4j because of CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

pjfanning commented on pull request #2403:
URL: https://github.com/apache/drill/pull/2403#issuecomment-991129955


   Thanks for updating the log4j version. No drill release contains the log4j dependency - it was only added to drill-format-excel recently. I'm not sure if there is any logging in POI that logs data from xlsx files that it processes. Drill is mainly using excel-streaming-reader which does not itself use log4j logging but excel-streaming-reader does use some POI code.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] pjfanning commented on pull request #2403: DRILL-8074: Upgrade log4j because of CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

pjfanning commented on pull request #2403:
URL: https://github.com/apache/drill/pull/2403#issuecomment-991130660


   PS I have this change in https://github.com/apache/drill/pull/2400 too - that is ready for review/merging


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] dzamo merged pull request #2403: DRILL-8074: Upgrade log4j because of CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

dzamo merged pull request #2403:
URL: https://github.com/apache/drill/pull/2403


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] kingswanwho commented on pull request #2403: DRILL-8074: Upgrade log4j because of CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

kingswanwho commented on pull request #2403:
URL: https://github.com/apache/drill/pull/2403#issuecomment-991361992


   
   
   
   > Thanks for updating the log4j version. No drill release contains the log4j dependency - it was only added to drill-format-excel recently. I'm not sure if there is any logging in POI that logs data from xlsx files that it processes. Drill is mainly using excel-streaming-reader which does not itself use log4j logging but excel-streaming-reader does use some POI code.
   
   Thank you for the explanation.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] kingswanwho commented on pull request #2403: DRILL-8074: Upgrade log4j because of CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

kingswanwho commented on pull request #2403:
URL: https://github.com/apache/drill/pull/2403#issuecomment-991047923


   Hi @pjfanning, I saw that you committed an upgraded log4j to poi already, however sill not release.So I override the log4j-api dependency in drill to 2.15.0. After you released the new version of poi, I could delete the override here.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] dzamo commented on pull request #2403: DRILL-8074: Upgrade log4j because of CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

dzamo commented on pull request #2403:
URL: https://github.com/apache/drill/pull/2403#issuecomment-991477294


   Thanks everybody.  Since this PR is ready to go and very simple I''m going to merge it now so we can settle back down out of critical vulnerability patching mode.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org