You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@storm.apache.org by "Franco Luong (Jira)" <ji...@apache.org> on 2022/01/03 16:20:00 UTC

[jira] [Updated] (STORM-3814) storm-core: Remediate log4j critical vulnerabilities -> 2.16.0 or newer, prefer 2.17.1

     [ https://issues.apache.org/jira/browse/STORM-3814?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Franco Luong updated STORM-3814:
--------------------------------
    Summary: storm-core: Remediate log4j critical vulnerabilities -> 2.16.0 or newer, prefer 2.17.1  (was: log4j)

> storm-core: Remediate log4j critical vulnerabilities -> 2.16.0 or newer, prefer 2.17.1
> --------------------------------------------------------------------------------------
>
>                 Key: STORM-3814
>                 URL: https://issues.apache.org/jira/browse/STORM-3814
>             Project: Apache Storm
>          Issue Type: Bug
>          Components: storm-core
>    Affects Versions: 1.2.3, 2.3.0
>            Reporter: Franco Luong
>            Priority: Critical
>
> * [https://logging.apache.org/log4j/2.x/security.html]
>  
> *In order to remediate these bugs with Log4j, please update Storm 2.3.0 and 1.2.3* 
>  * Criticals
>  * 
>  ** Fixed in Log4j 2.16.0 (Java 8) and Log4j 2.12.2 (Java 7)
>  *** [CVE-2021-45046|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046]: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
>  * 
>  ** Fixed in Log4j 2.15.0 (Java 8)
>  *** [CVE-2021-44228|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228]: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
>  * Moderates
>  ** Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)
>  *** [CVE-2021-44832|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832]: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
>  * 
>  ** Fixed in Log4j 2.17.0 (Java 8), 2.12.3 (Java 7) and 2.3.1 (Java 6)
>  *** [CVE-2021-45105|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105]: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)