Hi David,
Right now we are very much dedicating our efforts to getting a 0.22.1 patch
release out. It's taking longer than we'd hoped due to an unexpected issue
with the upgrade to log4j 2.15.0: https://github.com/apache/druid/pull/12056
.
Based on the testing we've done so far, though, I think there's another
mitigation available to you if you want to stay on 0.21: you could drop in
the 5 new log4j2 2.15.0 jars to lib/, remove the 2.8.2 jars, and add
-Dlog4j2.is.webapp=false to your jvm command line. The new jars will fix
the vulnerability and the jvm config avoids the error on shutdown.
On Fri, Dec 10, 2021 at 2:35 PM David Glasser <glas...@apollographql.com>
wrote:
> I will note that the `%m{nolookups}` workaround feels a lot more
> challenging to feel comfortable using than the `-D`/env var
> workarounds that work in the newer versions. For example, our
> log4j2.xml file has two Appenders, one of which uses JsonLayout and
> one of which uses PatternLayout. It's hard to understand from the docs
> as a non-log4j-expert if the JsonLayout appender is vulnerable or not
> and if there's a way to apply `%m{nolookups}` to it.
>
> Because the workarounds for Druid are more challenging than for
> projects on the slightly newer versions of log4j2, perhaps it would be
> appropriate to put out one or two more patch releases, against 0.21
> and/or 0.20? I know our installation is still on 0.21, which is less
> than 2 months old.
>
> On Fri, Dec 10, 2021 at 11:35 AM Gian Merlino <g...@apache.org> wrote:
> >
> > We're working on this right now and will be getting a vote / release for
> > 0.22.1 out asap.
> >
> > Btw, the log4j announcement mentions a mitigation that does work for our
> > current version (2.8.2). It's part (b) here, specifying "%m{nolookups}"
> in
> > the PatternLayout configuration:
> > https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4.
> However,
> > I haven't personally tested this, so I cannot provide any more details
> > beyond pointing to the announcement.
> >
> > On Fri, Dec 10, 2021 at 10:27 AM Lucas Capistrant <
> > capistrant.lu...@gmail.com> wrote:
> >
> > > Since it is “critical” severity, I think it would be a good idea to
> > > seriously consider pushing out a minor version of 0.22.x. Especially
> since
> > > the mitigation strategy outlined in the CVE is not available in the
> log4j
> > > version that exists today in the current stable release. There is past
> > > precedent for such releases: see 0.20.2
> > >
> > > On Fri, Dec 10, 2021 at 12:14 PM Eyal Yurman <eyurma...@yahooinc.com
> > > .invalid>
> > > wrote:
> > >
> > > > Hello, regarding https://github.com/apache/druid/pull/12051 which
> merged
> > > > to
> > > > master,
> > > >
> > > > Is it a common practice for the project to backport and release a new
> > > minor
> > > > for the latest version?
> > > >
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org
> For additional commands, e-mail: dev-h...@druid.apache.org
>
>
