[ https://issues.apache.org/jira/browse/CASSANDRA-17204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459528#comment-17459528 ]
Brandon Williams commented on CASSANDRA-17204: ---------------------------------------------- It's probably worth considering upgrading all the branches. ||Branch||CI|| |[3.0|https://github.com/driftx/cassandra/tree/CASSANDRA-17204]|[circle|https://app.circleci.com/pipelines/github/driftx/cassandra?branch=CASSANDRA-17204], [!https://ci-cassandra.apache.org/job/Cassandra-devbranch/1322/badge/icon!|https://ci-cassandra.apache.org/blue/organizations/jenkins/Cassandra-devbranch/detail/Cassandra-devbranch/1322/pipeline]| |[3.11|https://github.com/driftx/cassandra/tree/CASSANDRA-17204-3.11]|[circle|https://app.circleci.com/pipelines/github/driftx/cassandra?branch=CASSANDRA-17204-3.11], [!https://ci-cassandra.apache.org/job/Cassandra-devbranch/1323/badge/icon!|https://ci-cassandra.apache.org/blue/organizations/jenkins/Cassandra-devbranch/detail/Cassandra-devbranch/1323/pipeline]| |[4.0|https://github.com/driftx/cassandra/tree/CASSANDRA-17204-4.0]|[circle|https://app.circleci.com/pipelines/github/driftx/cassandra?branch=CASSANDRA-17204-4.0], [!https://ci-cassandra.apache.org/job/Cassandra-devbranch/1324/badge/icon!|https://ci-cassandra.apache.org/blue/organizations/jenkins/Cassandra-devbranch/detail/Cassandra-devbranch/1324/pipeline]| |[trunk|https://github.com/driftx/cassandra/tree/CASSANDRA-17204-trunk]|[circle|https://app.circleci.com/pipelines/github/driftx/cassandra?branch=CASSANDRA-17204-trunk], [!https://ci-cassandra.apache.org/job/Cassandra-devbranch/1325/badge/icon!|https://ci-cassandra.apache.org/blue/organizations/jenkins/Cassandra-devbranch/detail/Cassandra-devbranch/1325/pipeline]| > Upgrade to Logback 1.2.8 (security) > ----------------------------------- > > Key: CASSANDRA-17204 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17204 > Project: Cassandra > Issue Type: Improvement > Components: Dependencies > Reporter: Jochen Schalanda > Assignee: Brandon Williams > Priority: Normal > Fix For: 4.x > > > Logback 1.2.8 has been released with a fix for a potential vulnerability in > its JNDI lookup. > * [http://logback.qos.ch/news.html] > * [https://jira.qos.ch/browse/LOGBACK-1591] > {quote}*14th of December, 2021, Release of version 1.2.8* > We note that the vulnerability mentioned in LOGBACK-1591 requires write > access to logback's configuration file as a prerequisite. > * • In response to LOGBACK-1591, we have disabled all JNDI lookup code in > logback until further notice. This impacts {{ContextJNDISelector}} and > {{<insertFromJNDI>}} element in configuration files. > * Also in response to LOGBACK-1591, we have removed all database (JDBC) > related code in the project with no replacement. > We note that the vulnerability mentioned in LOGBACK-1591 requires write > access to logback's configuration file as a prerequisite. A successful RCE > requires all of the following to be true: > * write access to logback.xml > * use of versions < 1.2.8 > * reloading of poisoned configuration data, which implies application restart > or scan="true" set prior to attack > Therefore and as an additional precaution, in addition to upgrading to > version 1.2.8, we also recommend users to set their logback configuration > files as read-only. > {quote} > This is not as bad as CVE-2021-44228 in Log4j <2.15.0 (Log4Shell), but should > probably be fixed anyway. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org