You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Tim Allison (Jira)" <ji...@apache.org> on 2022/02/02 19:40:00 UTC
[jira] [Commented] (TIKA-3669) CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
[ https://issues.apache.org/jira/browse/TIKA-3669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17486057#comment-17486057 ]
Tim Allison commented on TIKA-3669:
-----------------------------------
Updated CHANGES.txt to reflect this. Next release coming soon. I hope.
> CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
> -------------------------------------------------------------------------------------------------------
>
> Key: TIKA-3669
> URL: https://issues.apache.org/jira/browse/TIKA-3669
> Project: Tika
> Issue Type: Bug
> Components: app, server
> Affects Versions: 2.2.1
> Reporter: Josh Burchard
> Priority: Major
> Fix For: 2.2.2, 2.3.0
>
>
> Possible to get Apache Log4j2 bumped up to version 2.17.1 in Tika? I didn't see it mentioned in the [pre-release notes for Tika 2.3.0|https://github.com/apache/tika/blob/82ed7304f16a452133f956ef2c27a52409f9bcbf/CHANGES.txt] so I thought I'd ask here. Since it seems like log4j2 changes have ceased being a moving target, it'd be excellent to just have the latest and greatest version.
> [Apache Log4j Security Vulnerabilities|https://logging.apache.org/log4j/2.x/security.html]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)