I just sent an email about the 0.22.1 release and this advisory to Royce who seems to be a maintainer of this page: https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/.
On Mon, Dec 13, 2021 at 12:20 PM Gian Merlino <g...@apache.org> wrote: > > To clarify about the mitigations: the "-Dlog4j2.formatMsgNoLookups=true" > mitigation that has been floating around the Internet is *not effective* > for log4j 2.8.2, which was used by Druid 0.22.0 and other recent versions. > If you are going to stay on an older version of Druid, do not use this > mitigation. Instead, use one of the two that we mention in our advisory. > > (But upgrading is best!) > > On Sat, Dec 11, 2021 at 1:50 AM Jihoon Son <jihoon...@apache.org> wrote: > > > Severity: critical > > > > > > Description: > > > > Apache Druid uses the Java logging library Apache Log4j, which has > > recently been identified to have a critical vulnerability that could > > lead to remote code execution (RCE). This vulnerability is triggered > > when an attacker can control any part of a log message. Due to the > > wide attack surface, it is critical that all Druid users patch or > > mitigate this vulnerability as soon as possible. > > > > The Log4j advisory is available at > > https://nvd.nist.gov/vuln/detail/CVE-2021-44228. > > > > > > Affected versions: > > > > Druid 0.22.0 and earlier are affected. > > > > > > Mitigation: > > > > We recommend that all users upgrade to Druid 0.22.1, which contains > > Apache Log4j 2.15.0. This version of Log4j has a fix for the > > vulnerability. > > > > If you are unable to upgrade Druid at this time, we recommend > > deploying a mitigation. Please refer to the Log4j announcement for > > details on possible mitigations: > > https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4. > > > > Different Log4j versions have different mitigation options. Check the > > "lib" directory of your Druid installation for the "log4j-core" jar to > > see what version of Log4j you have. Recent versions of Druid use Log4j > > 2.8.2. Two possible mitigations for Log4j 2.8.2 are: > > > > 1) Specify "%m{nolookups}" in the PatternLayout configuration of your > > log4j2.xml file. Druid installations may have multiple log4j2.xml > > files; be sure to update all of them. > > > > 2) Remove the JndiLookup and JndiManager classes from the log4j-core jar. > > > > These mitigations require a cluster restart to take effect. > > > > > > References: > > > > https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > > https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4 > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > > For additional commands, e-mail: dev-h...@druid.apache.org > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org For additional commands, e-mail: dev-h...@druid.apache.org
