agreed, at most companies they do a vulnerability scan of the libs to see if you have the right version.
On Mon, Dec 20, 2021 at 11:36 AM Pries, John E <john.pr...@verizon.com.invalid> wrote: > Can I humbly recommend a quick patch to log4j2.17.0? The reason is > security organizations don't know from application to application which > will be impacted or not, it will force us to update ourselves creating a > deviation from core. > > It just makes things more complicated for everyone if we don't have a > recognized safe deployment. > > On Mon, Dec 20, 2021 at 11:28 AM Frank Chen <frankc...@apache.org> wrote: > > > Hi Devs, > > > > Last week, there were many people leaving comments in the issue/PR listed > > as follows to enquire that > > if there's a newer Druid patch release such as 0.22.2 that fixes the new > > vulnerabilities (CVE 45046 > > < > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2021-2D45046&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=fsf_xsKE8d3u6q5pCJRQRvsFKfXB3k1J3GJLT71K_rQ&e= > > > and > > 45105 < > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2021-2D45105&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=um2-PddWXidIGsl3-GF4qMo2biAmn4RQyecYYWyqxHo&e= > > >) which affect log4j > > 2.15.0 and 2.16.0 > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_issues_12054&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=jvfgazS1S2hRDf7zrBAXJzQsASfndwqr7vGscDGjXgE&e= > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_pull_12061&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=umNt0yNlLm2_esyx655Gd2daIlX46dvuEVNcSfUlMn8&e= > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_pull_12051&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=7lzgp8xFJRjCaImXAJ7_REFuZUwOqIyTxiKvGVgRois&e= > > > > So, I bring up this topic here to discuss so that all of us can get a > clear > > message whether we should do a patch release. > > > > Following is my personal opinion: > > > > From the description of these two CVE announcements, we can see that, > these > > two problems only affect those log4j pattern layout which involves thread > > context map (MDC). > > > > Since Druid's default pattern layout DOES NOT use such pattern layout, I > > think it's safe to say that it's not affected by these vulnerabilities. > > So, for the patch release, we don't need to release another patch release > > to address these two problems. > > > > We can address these two in the upcoming major release 0.23 which is > going > > to release next month if everything goes well as scheduled. > > > > > > Frank > > > > > -- > John Pries > Verizon > 614 560 2132 >
