[jira] [Commented] (CONNECTORS-1683) Upgrade Log4J 2.15.0 (CVE-2021-44228)

Markus Schuch (Jira) Fri, 10 Dec 2021 07:59:05 -0800


    [ 
https://issues.apache.org/jira/browse/CONNECTORS-1683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457231#comment-17457231
 ]


Markus Schuch commented on CONNECTORS-1683:
-------------------------------------------

Temporary Mitigation with the 'formatMsgNoLookups' property is not possible, 
because it was added in version 2.10.0

ManifoldCF still uses 2.4.1 
(https://github.com/apache/manifoldcf/blob/trunk/build.xml#L87)

> Upgrade Log4J 2.15.0 (CVE-2021-44228)
> -------------------------------------
>
>                 Key: CONNECTORS-1683
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1683
>             Project: ManifoldCF
>          Issue Type: Bug
>          Components: Framework core
>            Reporter: Markus Schuch
>            Priority: Major
>              Labels: CVE-2021-44228, security, vulnerabilities
>
> We should upgrade to Log4J 2.15.0, because there is a known RCE Vulnerability 
> in previous Versions: https://www.lunasec.io/docs/blog/log4j-zero-day/



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (CONNECTORS-1683) Upgrade Log4J 2.15.0 (CVE-2021-44228)

Reply via email to