You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@storm.apache.org by "Franco Luong (Jira)" <ji...@apache.org> on 2022/01/03 16:20:00 UTC
[jira] [Updated] (STORM-3814) storm-core: Remediate log4j critical vulnerabilities -> 2.16.0 or newer, prefer 2.17.1
[ https://issues.apache.org/jira/browse/STORM-3814?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Franco Luong updated STORM-3814:
--------------------------------
Summary: storm-core: Remediate log4j critical vulnerabilities -> 2.16.0 or newer, prefer 2.17.1 (was: log4j)
> storm-core: Remediate log4j critical vulnerabilities -> 2.16.0 or newer, prefer 2.17.1
> --------------------------------------------------------------------------------------
>
> Key: STORM-3814
> URL: https://issues.apache.org/jira/browse/STORM-3814
> Project: Apache Storm
> Issue Type: Bug
> Components: storm-core
> Affects Versions: 1.2.3, 2.3.0
> Reporter: Franco Luong
> Priority: Critical
>
> * [https://logging.apache.org/log4j/2.x/security.html]
>
> *In order to remediate these bugs with Log4j, please update Storm 2.3.0 and 1.2.3*
> * Criticals
> *
> ** Fixed in Log4j 2.16.0 (Java 8) and Log4j 2.12.2 (Java 7)
> *** [CVE-2021-45046|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046]: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
> *
> ** Fixed in Log4j 2.15.0 (Java 8)
> *** [CVE-2021-44228|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228]: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
> * Moderates
> ** Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)
> *** [CVE-2021-44832|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832]: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
> *
> ** Fixed in Log4j 2.17.0 (Java 8), 2.12.3 (Java 7) and 2.3.1 (Java 6)
> *** [CVE-2021-45105|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105]: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)