Another workaround appears to be using the -Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack vector, at least in theory, because the JNDI can't load remote code using LDAP.”
(https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/) > On 12 Dec 2021, at 10:56, Dmitriy Pavlov <dpav...@apache.org> wrote: > > Hi Igniters, > > Preliminary: change of the log4j version does not affect any tests > (Alexander Nikolaev, correct me if I'm wrong). > > If you're using embedded Ignite, it's perfectly possible to enforce jog4j2 > dependency to be 2.15.0 in your project final pom.xml or build.gradle or > any other build system properties. > > https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems to be > a blocker for 2.12. But for now, as a workaround, it's possible to select > the latest version manually. > > Sincerely, > Dmitriy Pavlov > > сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev <namelc...@apache.org>: > >> Hello. >> >> The issue to update dependency was created: >> https://issues.apache.org/jira/browse/IGNITE-16101 >> >> I want to include it to the 2.12 scope. >> >> сб, 11 дек. 2021 г., 09:19 Raymond Wilson <raymond_wil...@trimble.com>: >> >>> All >>> >>> This blew up today: CVE-2021-44228 ( >>> >>> >> https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/ >>> ) >>> >>> Will there be a risk assessment with respect to Ignite for this CVE? >>> >>> Thanks, >>> Raymond. >>> >>> -- >>> <http://www.trimble.com/> >>> Raymond Wilson >>> Trimble Distinguished Engineer, Civil Construction Software (CCS) >>> 11 Birmingham Drive | Christchurch, New Zealand >>> raymond_wil...@trimble.com >>> >>> < >>> >> https://worksos.trimble.com/?utm_source=Trimble&utm_medium=emailsign&utm_campaign=Launch >>>> >>> >>
