Skip to content

update log4j to 2.15.0 to address security vulnerabilities#12051

Merged
xvrl merged 1 commit intoapache:masterfrom
xvrl:update-log4j2
Dec 10, 2021
Merged

update log4j to 2.15.0 to address security vulnerabilities#12051
xvrl merged 1 commit intoapache:masterfrom
xvrl:update-log4j2

Conversation

@xvrl
Copy link
Member

@xvrl xvrl commented Dec 10, 2021

fixes #12050

@xvrl xvrl merged commit 1931601 into apache:master Dec 10, 2021
@xvrl xvrl deleted the update-log4j2 branch December 10, 2021 06:34
@FrankChen021
Copy link
Member

FrankChen021 commented Dec 10, 2021

@xvrl You're so quick. Why can't I find the 2.15.0 artifact on the mvnrepository.com?

gianm pushed a commit that referenced this pull request Dec 10, 2021
@xvrl @gianm
update log4j to 2.15.0 to address security vulnerabilities (#12051)
17f9233
@clintropolis
Copy link
Member

clintropolis commented Dec 10, 2021

it probably hasn't propagated to all of the mirrors yet, I see it here https://search.maven.org/search?q=g:org.apache.logging.log4j

@suneet-s suneet-s mentioned this pull request Dec 10, 2021
Merged
@a2l007
Copy link
Contributor

a2l007 commented Dec 10, 2021

Not sure if we know at this point if 2.15.0 will completely resolve this issue, but operators must be setting -Dlog4j2.formatMsgNoLookups=true in their jvm args meanwhile.

@suneet-s
Copy link
Contributor

suneet-s commented Dec 10, 2021

log4j's official announcement is here https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4

Based on this, operators could add %m{nolookups} to the PatternLayout in log4j2.xml since we use log4j version 2.8.2 -Dlog4j2.formatMsgNoLookups=true will not work

@a2l007
Copy link
Contributor

a2l007 commented Dec 10, 2021

Thanks for clarifying @suneet-s

@jihoonson jihoonson added this to the 0.22.1 milestone Dec 10, 2021
@jihoonson jihoonson mentioned this pull request Dec 10, 2021
Closed
@clintropolis clintropolis mentioned this pull request Dec 11, 2021
Merged
@dongjoon-hyun
Copy link
Member

dongjoon-hyun commented Dec 12, 2021

Thank you all!

nikhil-ddu pushed a commit to twitter-forks/druid that referenced this pull request Dec 13, 2021
@xvrl
update log4j to 2.15.0 to address security vulnerabilities (apache#12051
edcf4ef 
)
nikhil-ddu pushed a commit to twitter-forks/druid that referenced this pull request Dec 13, 2021
@xvrl
update log4j to 2.15.0 to address security vulnerabilities (apache#12051
00da3a9 
)
@GElkayam
Copy link

GElkayam commented Dec 15, 2021
edited
Loading

@xvrl , @clintropolis , Is this going to get updated to 2.16 to mitigate CVE-2021-45046?
Nevermind, addressed in #12061

@FrankChen021
Copy link
Member

FrankChen021 commented Dec 16, 2021

@GElkayam I checked the description of that CVE. If I understand correctly, this vulnerability exists when thread context map pattern layout is applied.

Since Druid's default log4j2 configuration does not use such pattern layout, I think it's not affected by this problem.

This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.

@juhoautio-rovio juhoautio-rovio mentioned this pull request Dec 17, 2021
Merged
debasatwa29 pushed a commit to debasatwa29/druid that referenced this pull request Jun 2, 2022
Pull upstream to upgrade log4j to 2.15.0 to address security vulnerab…
5bea06b 
…ilities

Summary:
Druid is running with JVM 1.8.0_232 but log4j 2.5 so it's P1 rather than p0.

Pull upstream to upgrade log4j to 2.15.0 to address security vulnerabilities

Changes are from the following upstream PRs:

# Upgrade log4j from 2.8.2 to 2.15.0
apache#12051
apache#12056

# Upgrade log4j from 2.5 to 2.8.2
apache#8878

Reviewers: O1139 Druid, jgu, itallam

Reviewed By: O1139 Druid, jgu, itallam

Subscribers: jenkins, shawncao, #realtime-analytics

Differential Revision: https://phabricator.pinadmin.com/D823708
anishanagarajan pushed a commit to twitter-forks/druid that referenced this pull request Sep 23, 2022
@xvrl
update log4j to 2.15.0 to address security vulnerabilities (apache#12051
b1de0a0 
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@clintropolis clintropolis clintropolis approved these changes

@FrankChen021 FrankChen021 Awaiting requested review from FrankChen021

@asdf2014 asdf2014 Awaiting requested review from asdf2014

@ccaominh ccaominh Awaiting requested review from ccaominh

Assignees

No one assigned

Labels

Area - Dependencies Security

Projects

None yet

Milestone

0.22.1

Development

Successfully merging this pull request may close these issues.

Recommended to upgrade log4j to 2.15.0

9 participants

@xvrl @FrankChen021 @clintropolis @a2l007 @suneet-s @dongjoon-hyun @GElkayam @jihoonson @asdf2014