Bad news, log4j releases a new patch release 2.17.1 which addresses another vulnerability that allows attackers to execute remote code through JDBC appender. Good news, Druid does not use JDBC appender by default.
I raised a PR to update log4j to this latest version: https://github.com/apache/druid/pull/12106 On Tue, Dec 21, 2021 at 9:46 AM Gian Merlino <g...@apache.org> wrote: > I think doing a 0.22.2 would be worth it for users' peace of mind, even if > Druid isn't vulnerable by default. Just because people are on edge about > log4j-related stuff right now. In case other people agree, I created an > 0.22.2 branch just now. Is anyone able to release-manage this one? > > Btw, John and Rahul, assuming we do 0.22.2, I'm not sure what the timing > will be. I don't think we'll do it on the same emergency schedule that we > did for 0.22.1, since this doesn't seem to affect Druid unless you're > explicitly enabling those context patterns mentioned in the log4j advisory. > And there is an easy mitigation: just don't use those context patterns. So > if you are in a rush due to your own internal schedules, you might need to > build your own versions temporarily anyway. > > On Mon, Dec 20, 2021 at 11:42 AM rahul gidwani <rahul.gidw...@gmail.com> > wrote: > > > agreed, at most companies they do a vulnerability scan of the libs to see > > if you have the right version. > > > > On Mon, Dec 20, 2021 at 11:36 AM Pries, John E > > <john.pr...@verizon.com.invalid> wrote: > > > > > Can I humbly recommend a quick patch to log4j2.17.0? The reason is > > > security organizations don't know from application to application which > > > will be impacted or not, it will force us to update ourselves creating > a > > > deviation from core. > > > > > > It just makes things more complicated for everyone if we don't have a > > > recognized safe deployment. > > > > > > On Mon, Dec 20, 2021 at 11:28 AM Frank Chen <frankc...@apache.org> > > wrote: > > > > > > > Hi Devs, > > > > > > > > Last week, there were many people leaving comments in the issue/PR > > listed > > > > as follows to enquire that > > > > if there's a newer Druid patch release such as 0.22.2 that fixes the > > new > > > > vulnerabilities (CVE 45046 > > > > < > > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2021-2D45046&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=fsf_xsKE8d3u6q5pCJRQRvsFKfXB3k1J3GJLT71K_rQ&e= > > > > > and > > > > 45105 < > > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2021-2D45105&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=um2-PddWXidIGsl3-GF4qMo2biAmn4RQyecYYWyqxHo&e= > > > > >) which affect log4j > > > > 2.15.0 and 2.16.0 > > > > > > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_issues_12054&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=jvfgazS1S2hRDf7zrBAXJzQsASfndwqr7vGscDGjXgE&e= > > > > > > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_pull_12061&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=umNt0yNlLm2_esyx655Gd2daIlX46dvuEVNcSfUlMn8&e= > > > > > > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_pull_12051&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=7lzgp8xFJRjCaImXAJ7_REFuZUwOqIyTxiKvGVgRois&e= > > > > > > > > So, I bring up this topic here to discuss so that all of us can get a > > > clear > > > > message whether we should do a patch release. > > > > > > > > Following is my personal opinion: > > > > > > > > From the description of these two CVE announcements, we can see that, > > > these > > > > two problems only affect those log4j pattern layout which involves > > thread > > > > context map (MDC). > > > > > > > > Since Druid's default pattern layout DOES NOT use such pattern > layout, > > I > > > > think it's safe to say that it's not affected by these > vulnerabilities. > > > > So, for the patch release, we don't need to release another patch > > release > > > > to address these two problems. > > > > > > > > We can address these two in the upcoming major release 0.23 which is > > > going > > > > to release next month if everything goes well as scheduled. > > > > > > > > > > > > Frank > > > > > > > > > > > > > -- > > > John Pries > > > Verizon > > > 614 560 2132 > > > > > >
