Vishwas Bm,
I've found the same for the Zookeeper IP finder module. It seems to me that it must be fixed also. [1] https://github.com/apache/ignite/blob/master/modules/zookeeper/pom.xml#L114 On Mon, 20 Dec 2021 at 13:39, Vishwas Bm <bmvish...@gmail.com> wrote: > > Correct url to rest-http module > > https://github.com/apache/ignite/blob/21f7ca41c4348909e2fd26ccf59b5b2ce1f4474e/modules/rest-http/pom.xml#L131 > > On Mon, 20 Dec, 2021, 16:06 Vishwas Bm, <bmvish...@gmail.com> wrote: > > > Hi, > > > > Why is ignite rest module still using old log4j version dependency? > > > > > > https://github.com/apache/ignite/blob/21f7ca41c4348909e2fd26ccf59b5b2ce1f4474e/modules/log4j/pom.xml#L46 > > > > Can this be removed ? There is a critical CVE against this package. > > > > Regards, > > Vishwas > > > > > > On Wed, 15 Dec, 2021, 12:57 Aleksandr Nikolaev, <nikolaev...@live.com> > > wrote: > > > >> Hi folks, > >> > >> Ok i'm update log4j version 2.15 to 2.16 > >> > >> https://issues.apache.org/jira/browse/IGNITE-16127 > >> > >> > >> On 15.12.2021 09:54, Pavel Tupitsyn wrote: > >> > Igniters, > >> > > >> > Looks like we need to update to 2.16, there is an additional attack > >> vector > >> > [1] > >> > > >> > [1] > >> > > >> https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/ > >> > > >> > On Mon, Dec 13, 2021 at 4:06 PM Maxim Muzafarov <mmu...@apache.org> > >> wrote: > >> > > >> >> Folks, > >> >> > >> >> Should we describe all the WA available for the issue [1]? There is > >> >> already a lot of information about CVE, and nevertheless, it will not > >> >> be superfluous. > >> >> > >> >> [1] https://issues.apache.org/jira/browse/IGNITE-16101 > >> >> > >> >> On Mon, 13 Dec 2021 at 15:37, Ivan Daschinsky <ivanda...@gmail.com> > >> wrote: > >> >>> Unfortunately, we need patch our Log4j2 adapter in order to work with > >> >>> log4j-2.15 > >> >>> So there is no choice other than to release 2.11.1 > >> >>> > >> >>> пн, 13 дек. 2021 г. в 15:21, Anton Vinogradov <a...@apache.org>: > >> >>> > >> >>>> Folks, > >> >>>> > >> >>>> My 200 rubles here, > >> >>>>> I want to include it to the 2.12 scope. > >> >>>> Why not 2.11.1 as well? > >> >>>> We should provide a fixed version for current customers asap. > >> >>>> 2.12 require migration, while 2.11.1 can be applied as-is. > >> >>>> > >> >>>> > >> >>>> On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington < > >> >>>> stephen.darling...@gridgain.com> wrote: > >> >>>> > >> >>>>> Another workaround appears to be using the > >> >>>>> -Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions > >> greater > >> >>>> than > >> >>>>> 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack > >> >> vector, > >> >>>> at > >> >>>>> least in theory, because the JNDI can't load remote code using > >> LDAP.” > >> >>>>> > >> >>>>> ( > >> >>>>> > >> >> > >> https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/ > >> >>>>> ) > >> >>>>> > >> >>>>>> On 12 Dec 2021, at 10:56, Dmitriy Pavlov <dpav...@apache.org> > >> >> wrote: > >> >>>>>> Hi Igniters, > >> >>>>>> > >> >>>>>> Preliminary: change of the log4j version does not affect any tests > >> >>>>>> (Alexander Nikolaev, correct me if I'm wrong). > >> >>>>>> > >> >>>>>> If you're using embedded Ignite, it's perfectly possible to enforce > >> >>>>> jog4j2 > >> >>>>>> dependency to be 2.15.0 in your project final pom.xml or > >> >> build.gradle > >> >>>> or > >> >>>>>> any other build system properties. > >> >>>>>> > >> >>>>>> https://issues.apache.org/jira/browse/IGNITE-16101 ticket seems > >> >> to be > >> >>>>>> a blocker for 2.12. But for now, as a workaround, it's possible to > >> >>>> select > >> >>>>>> the latest version manually. > >> >>>>>> > >> >>>>>> Sincerely, > >> >>>>>> Dmitriy Pavlov > >> >>>>>> > >> >>>>>> сб, 11 дек. 2021 г. в 09:47, Nikita Amelchev <namelc...@apache.org > >> >>> : > >> >>>>>>> Hello. > >> >>>>>>> > >> >>>>>>> The issue to update dependency was created: > >> >>>>>>> https://issues.apache.org/jira/browse/IGNITE-16101 > >> >>>>>>> > >> >>>>>>> I want to include it to the 2.12 scope. > >> >>>>>>> > >> >>>>>>> сб, 11 дек. 2021 г., 09:19 Raymond Wilson < > >> >> raymond_wil...@trimble.com > >> >>>>> : > >> >>>>>>>> All > >> >>>>>>>> > >> >>>>>>>> This blew up today: CVE-2021-44228 ( > >> >>>>>>>> > >> >>>>>>>> > >> >> > >> https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/ > >> >>>>>>>> ) > >> >>>>>>>> > >> >>>>>>>> Will there be a risk assessment with respect to Ignite for this > >> >> CVE? > >> >>>>>>>> Thanks, > >> >>>>>>>> Raymond. > >> >>>>>>>> > >> >>>>>>>> -- > >> >>>>>>>> <http://www.trimble.com/> > >> >>>>>>>> Raymond Wilson > >> >>>>>>>> Trimble Distinguished Engineer, Civil Construction Software (CCS) > >> >>>>>>>> 11 Birmingham Drive | Christchurch, New Zealand > >> >>>>>>>> raymond_wil...@trimble.com > >> >>>>>>>> > >> >>>>>>>> < > >> >>>>>>>> > >> >> > >> https://worksos.trimble.com/?utm_source=Trimble&utm_medium=emailsign&utm_campaign=Launch > >> >>>>> > >> >>>>> > >> >>> > >> >>> -- > >> >>> Sincerely yours, Ivan Daschinskiy > >> > >
