Jochen Schalanda created CASSANDRA-17204:
--------------------------------------------
Summary: Upgrade to Logback 1.2.8 (security)
Key: CASSANDRA-17204
URL: https://issues.apache.org/jira/browse/CASSANDRA-17204
Project: Cassandra
Issue Type: Bug
Components: Dependencies
Reporter: Jochen Schalanda
Logback 1.2.8 has been released with a fix for a potential vulnerability in its
JNDI lookup.
* http://logback.qos.ch/news.html
* https://jira.qos.ch/browse/LOGBACK-1591
{quote}14th of December, 2021, Release of version 1.2.8
We note that the vulnerability mentioned in LOGBACK-1591 requires write access
to logback's configuration file as a prerequisite.
* • In response to LOGBACK-1591, we have disabled all JNDI lookup code in
logback until further notice. This impacts {{ContextJNDISelector}} and
{{<insertFromJNDI>}} element in configuration files.
* Also in response to LOGBACK-1591, we have removed all database (JDBC) related
code in the project with no replacement.
We note that the vulnerability mentioned in LOGBACK-1591 requires write access
to logback's configuration file as a prerequisite. A successful RCE requires
all of the following to be true:
* write access to logback.xml
* use of versions < 1.2.8
* reloading of poisoned configuration data, which implies application restart
or scan="true" set prior to attack
Therefore and as an additional precaution, in addition to upgrading to version
1.2.8, we also recommend users to set their logback configuration files as
read-only.
{quote}
This is not as bad as CVE-2021-44228 in Log4j <2.15.0 (Log4Shell), but should
probably be fixed anyway.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
