You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@unomi.apache.org by "Jonathan Sinovassin (Jira)" <ji...@apache.org> on 2022/01/24 10:22:00 UTC

[jira] [Assigned] (UNOMI-546) Update log4j version

     [ https://issues.apache.org/jira/browse/UNOMI-546?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jonathan Sinovassin reassigned UNOMI-546:
-----------------------------------------

    Assignee: Jonathan Sinovassin

> Update log4j version
> --------------------
>
>                 Key: UNOMI-546
>                 URL: https://issues.apache.org/jira/browse/UNOMI-546
>             Project: Apache Unomi
>          Issue Type: Task
>            Reporter: Jonathan Sinovassin
>            Assignee: Jonathan Sinovassin
>            Priority: Major
>             Fix For: 2.0.0, 1.6.0
>
>
> A vulnerability has been uncovered in the [Apache Log4j2|https://logging.apache.org/log4j/2.x/]  library, tracked under the following reference :  [CVE-2021-44228|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228]. The vulnerability has been dubbed *Log4Shell* exploit.
> You can find [here|https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/] and [here|https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/] some  pretty detailed explanation of the vulnerability, its impact and level of risk.
>  
> The versions of Log4j impacted by the vulnerability are  from 2.0-beta9 to 2.14.1 . The Apache foundation released last Friday version 2.15 which is addressing the issue. 
>  
> The module unomi-persistence-elasticsearch is using the version 2.12.1, we should update it to 2.15.0



--
This message was sent by Atlassian Jira
(v8.20.1#820001)