I think doing a 0.22.2 would be worth it for users' peace of mind, even if Druid isn't vulnerable by default. Just because people are on edge about log4j-related stuff right now. In case other people agree, I created an 0.22.2 branch just now. Is anyone able to release-manage this one?
Btw, John and Rahul, assuming we do 0.22.2, I'm not sure what the timing will be. I don't think we'll do it on the same emergency schedule that we did for 0.22.1, since this doesn't seem to affect Druid unless you're explicitly enabling those context patterns mentioned in the log4j advisory. And there is an easy mitigation: just don't use those context patterns. So if you are in a rush due to your own internal schedules, you might need to build your own versions temporarily anyway. On Mon, Dec 20, 2021 at 11:42 AM rahul gidwani <rahul.gidw...@gmail.com> wrote: > agreed, at most companies they do a vulnerability scan of the libs to see > if you have the right version. > > On Mon, Dec 20, 2021 at 11:36 AM Pries, John E > <john.pr...@verizon.com.invalid> wrote: > > > Can I humbly recommend a quick patch to log4j2.17.0? The reason is > > security organizations don't know from application to application which > > will be impacted or not, it will force us to update ourselves creating a > > deviation from core. > > > > It just makes things more complicated for everyone if we don't have a > > recognized safe deployment. > > > > On Mon, Dec 20, 2021 at 11:28 AM Frank Chen <frankc...@apache.org> > wrote: > > > > > Hi Devs, > > > > > > Last week, there were many people leaving comments in the issue/PR > listed > > > as follows to enquire that > > > if there's a newer Druid patch release such as 0.22.2 that fixes the > new > > > vulnerabilities (CVE 45046 > > > < > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2021-2D45046&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=fsf_xsKE8d3u6q5pCJRQRvsFKfXB3k1J3GJLT71K_rQ&e= > > > > and > > > 45105 < > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2021-2D45105&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=um2-PddWXidIGsl3-GF4qMo2biAmn4RQyecYYWyqxHo&e= > > > >) which affect log4j > > > 2.15.0 and 2.16.0 > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_issues_12054&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=jvfgazS1S2hRDf7zrBAXJzQsASfndwqr7vGscDGjXgE&e= > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_pull_12061&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=umNt0yNlLm2_esyx655Gd2daIlX46dvuEVNcSfUlMn8&e= > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_pull_12051&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=7lzgp8xFJRjCaImXAJ7_REFuZUwOqIyTxiKvGVgRois&e= > > > > > > So, I bring up this topic here to discuss so that all of us can get a > > clear > > > message whether we should do a patch release. > > > > > > Following is my personal opinion: > > > > > > From the description of these two CVE announcements, we can see that, > > these > > > two problems only affect those log4j pattern layout which involves > thread > > > context map (MDC). > > > > > > Since Druid's default pattern layout DOES NOT use such pattern layout, > I > > > think it's safe to say that it's not affected by these vulnerabilities. > > > So, for the patch release, we don't need to release another patch > release > > > to address these two problems. > > > > > > We can address these two in the upcoming major release 0.23 which is > > going > > > to release next month if everything goes well as scheduled. > > > > > > > > > Frank > > > > > > > > > -- > > John Pries > > Verizon > > 614 560 2132 > > >
