[ https://issues.apache.org/jira/browse/CASSANDRA-17204?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Berenguer Blasi updated CASSANDRA-17204: ---------------------------------------- Reviewers: Berenguer Blasi Status: Review In Progress (was: Patch Available) > Upgrade to Logback 1.2.9 (security) > ----------------------------------- > > Key: CASSANDRA-17204 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17204 > Project: Cassandra > Issue Type: Improvement > Components: Dependencies > Reporter: Jochen Schalanda > Assignee: Brandon Williams > Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x, 4.x > > > Logback 1.2.8 has been released with a fix for a potential vulnerability in > its JNDI lookup. > * [http://logback.qos.ch/news.html] > * [https://jira.qos.ch/browse/LOGBACK-1591] > {quote}*14th of December, 2021, Release of version 1.2.8* > We note that the vulnerability mentioned in LOGBACK-1591 requires write > access to logback's configuration file as a prerequisite. > * • In response to LOGBACK-1591, we have disabled all JNDI lookup code in > logback until further notice. This impacts {{ContextJNDISelector}} and > {{<insertFromJNDI>}} element in configuration files. > * Also in response to LOGBACK-1591, we have removed all database (JDBC) > related code in the project with no replacement. > We note that the vulnerability mentioned in LOGBACK-1591 requires write > access to logback's configuration file as a prerequisite. A successful RCE > requires all of the following to be true: > * write access to logback.xml > * use of versions < 1.2.8 > * reloading of poisoned configuration data, which implies application restart > or scan="true" set prior to attack > Therefore and as an additional precaution, in addition to upgrading to > version 1.2.8, we also recommend users to set their logback configuration > files as read-only. > {quote} > This is not as bad as CVE-2021-44228 in Log4j <2.15.0 (Log4Shell), but should > probably be fixed anyway. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org