You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/12/19 02:32:00 UTC
[ofbiz-framework] branch release18.12 updated: Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 4442c2a Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470)
4442c2a is described below
commit 4442c2adcad6f50afe232fbeddb36a3143226c66
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sun Dec 19 03:30:49 2021 +0100
Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470)
CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not protect
from uncontrolled recursion from self-referential lookups. This allows an
attacker with control over Thread Context Map data to cause a denial of service
when a crafted string is interpreted.
This issue is fixed in Log4j 2.17.0.:
https://logging.apache.org/log4j/2.x/security.html
---
build.gradle | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/build.gradle b/build.gradle
index b6772f9..1053028 100644
--- a/build.gradle
+++ b/build.gradle
@@ -190,7 +190,7 @@ dependencies {
compile 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
compile 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
compile 'org.apache.httpcomponents:httpclient-cache:4.5.6'
- compile 'org.apache.logging.log4j:log4j-api:2.16.0' // the API of log4j 2
+ compile 'org.apache.logging.log4j:log4j-api:2.17.0' // the API of log4j 2
compile 'org.apache.poi:poi:3.17'
compile 'org.apache.pdfbox:pdfbox:2.0.24'
compile 'org.apache.shiro:shiro-core:1.4.0'
@@ -231,11 +231,11 @@ dependencies {
runtime 'org.apache.axis2:axis2-transport-local:1.7.8'
runtime 'org.apache.derby:derby:10.14.2.0'
runtime 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:1.1'
- runtime 'org.apache.logging.log4j:log4j-1.2-api:2.16.0' // for external jars using the old log4j1.2: routes logging to log4j 2
- runtime 'org.apache.logging.log4j:log4j-core:2.16.0' // the implementation of the log4j 2 API
- runtime 'org.apache.logging.log4j:log4j-jul:2.16.0' // for external jars using the java.util.logging: routes logging to log4j 2
- runtime 'org.apache.logging.log4j:log4j-slf4j-impl:2.16.0' // for external jars using slf4j: routes logging to log4j 2
- runtime 'org.apache.logging.log4j:log4j-jcl:2.16.0' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
+ runtime 'org.apache.logging.log4j:log4j-1.2-api:2.17.0' // for external jars using the old log4j1.2: routes logging to log4j 2
+ runtime 'org.apache.logging.log4j:log4j-core:2.17.0' // the implementation of the log4j 2 API
+ runtime 'org.apache.logging.log4j:log4j-jul:2.17.0' // for external jars using the java.util.logging: routes logging to log4j 2
+ runtime 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0' // for external jars using slf4j: routes logging to log4j 2
+ runtime 'org.apache.logging.log4j:log4j-jcl:2.17.0' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
runtime 'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'
// plugin libs