You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tika.apache.org by "Josh Burchard (Jira)" <ji...@apache.org> on 2022/02/02 18:49:00 UTC

[jira] [Created] (TIKA-3669) CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.

Josh Burchard created TIKA-3669:
-----------------------------------

             Summary: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
                 Key: TIKA-3669
                 URL: https://issues.apache.org/jira/browse/TIKA-3669
             Project: Tika
          Issue Type: Bug
          Components: app, server
    Affects Versions: 2.2.1
            Reporter: Josh Burchard
             Fix For: 2.2.2, 2.3.0


Possible to get Apache Log4j2 bumped up to version 2.17.1 in Tika?  I didn't see it mentioned in the [pre-release notes for Tika 2.3.0|https://github.com/apache/tika/blob/82ed7304f16a452133f956ef2c27a52409f9bcbf/CHANGES.txt] so I thought I'd ask here. Since it seems like log4j2 changes have ceased being a moving target, it'd be excellent to just have the latest and greatest version.

[Apache Log4j Security Vulnerabilities|https://logging.apache.org/log4j/2.x/security.html]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)