Igniters, Looks like we need to update to 2.16, there is an additional attack vector [1]
[1] https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/ On Mon, Dec 13, 2021 at 4:06 PM Maxim Muzafarov <mmu...@apache.org> wrote: > Folks, > > Should we describe all the WA available for the issue [1]? There is > already a lot of information about CVE, and nevertheless, it will not > be superfluous. > > [1] https://issues.apache.org/jira/browse/IGNITE-16101 > > On Mon, 13 Dec 2021 at 15:37, Ivan Daschinsky <ivanda...@gmail.com> wrote: > > > > Unfortunately, we need patch our Log4j2 adapter in order to work with > > log4j-2.15 > > So there is no choice other than to release 2.11.1 > > > > пн, 13 дек. 2021 г. в 15:21, Anton Vinogradov <a...@apache.org>: > > > > > Folks, > > > > > > My 200 rubles here, > > > > I want to include it to the 2.12 scope. > > > Why not 2.11.1 as well? > > > We should provide a fixed version for current customers asap. > > > 2.12 require migration, while 2.11.1 can be applied as-is. > > > > > > > > > On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington < > > > stephen.darling...@gridgain.com> wrote: > > > > > > > Another workaround appears to be using the > > > > -Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions greater > > > than > > > > 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack > vector, > > > at > > > > least in theory, because the JNDI can't load remote code using LDAP.” > > > > > > > > ( > > > > > > > > https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/ > > > > ) > > > > > > > > > On 12 Dec 2021, at 10:56, Dmitriy Pavlov <dpav...@apache.org> > wrote: > > > > > > > > > > Hi Igniters, > > > > > > > > > > Preliminary: change of the log4j version does not affect any tests > > > > > (Alexander Nikolaev, correct me if I'm wrong). > > > > > > > > > > If you're using embedded Ignite, it's perfectly possible to enforce > > > > jog4j2 > > > > > dependency to be 2.15.0 in your project final pom.xml or > build.gradle > > > or > > > > > any other build system properties. > > > > > > > > > > https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems > to be > > > > > a blocker for 2.12. But for now, as a workaround, it's possible to > > > select > > > > > the latest version manually. > > > > > > > > > > Sincerely, > > > > > Dmitriy Pavlov > > > > > > > > > > сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev <namelc...@apache.org > >: > > > > > > > > > >> Hello. > > > > >> > > > > >> The issue to update dependency was created: > > > > >> https://issues.apache.org/jira/browse/IGNITE-16101 > > > > >> > > > > >> I want to include it to the 2.12 scope. > > > > >> > > > > >> сб, 11 дек. 2021 г., 09:19 Raymond Wilson < > raymond_wil...@trimble.com > > > >: > > > > >> > > > > >>> All > > > > >>> > > > > >>> This blew up today: CVE-2021-44228 ( > > > > >>> > > > > >>> > > > > >> > > > > > > > > https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/ > > > > >>> ) > > > > >>> > > > > >>> Will there be a risk assessment with respect to Ignite for this > CVE? > > > > >>> > > > > >>> Thanks, > > > > >>> Raymond. > > > > >>> > > > > >>> -- > > > > >>> <http://www.trimble.com/> > > > > >>> Raymond Wilson > > > > >>> Trimble Distinguished Engineer, Civil Construction Software (CCS) > > > > >>> 11 Birmingham Drive | Christchurch, New Zealand > > > > >>> raymond_wil...@trimble.com > > > > >>> > > > > >>> < > > > > >>> > > > > >> > > > > > > > > https://worksos.trimble.com/?utm_source=Trimble&utm_medium=emailsign&utm_campaign=Launch > > > > >>>> > > > > >>> > > > > >> > > > > > > > > > > > > > > > > > > > > > -- > > Sincerely yours, Ivan Daschinskiy >
