You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Josh Burchard (Jira)" <ji...@apache.org> on 2022/02/02 18:49:00 UTC
[jira] [Created] (TIKA-3669) CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
Josh Burchard created TIKA-3669:
-----------------------------------
Summary: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
Key: TIKA-3669
URL: https://issues.apache.org/jira/browse/TIKA-3669
Project: Tika
Issue Type: Bug
Components: app, server
Affects Versions: 2.2.1
Reporter: Josh Burchard
Fix For: 2.2.2, 2.3.0
Possible to get Apache Log4j2 bumped up to version 2.17.1 in Tika? I didn't see it mentioned in the [pre-release notes for Tika 2.3.0|https://github.com/apache/tika/blob/82ed7304f16a452133f956ef2c27a52409f9bcbf/CHANGES.txt] so I thought I'd ask here. Since it seems like log4j2 changes have ceased being a moving target, it'd be excellent to just have the latest and greatest version.
[Apache Log4j Security Vulnerabilities|https://logging.apache.org/log4j/2.x/security.html]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)