You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fortress@directory.apache.org by Shawn McKinney <sm...@apache.org> on 2021/12/13 19:31:25 UTC

CVE-2021-44228 Announcement

Some more information about our response to CVE-2021-44228...

An emergency release, v2.0.7, occurred over the weekend which included an upgrade to the latest Log4j-core library 2.15.0.

It also included other dependency upgrades (to latest Spring Security, Apache CXF and Apache Wicket) for Web and Rest dependencies to be up-to-date.

More info about the Log4Shell vulnerability and Apache Fortress:

• If using the Apache Fortress Core 2.0.6, no need to upgrade. It uses the Apache Log4j-core lib, but only as a test dependency.

• Dependent apps of the Apache Fortress Core 2.0.6 don’t need to upgrade.  It doesn’t pull in the Log4j-core lib as a compile or runtime dependency.

• Apache Fortress 2.0.6 Web (Commander) and Rest (Enmasse) deployments are affected. Upgrade immediately, or follow the mitigation procedures as described by the Apache Log4J project.

• Previous versions of Apache Fortress, before 2.0.6, did not use Apache Log4j and aren’t affected.

Contact us on our mailing list, or private email me directly if you have any questions.

Thanks

—
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: fortress-unsubscribe@directory.apache.org
For additional commands, e-mail: fortress-help@directory.apache.org