[
https://issues.apache.org/jira/browse/RANGER-3691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17519414#comment-17519414
]
kirby zhou commented on RANGER-3691:
------------------------------------
Way 1: migrate from log4j to slf4j/logback log system
I think it is too heavy for 2.2.1, there are series of patches.
{code:java}
db99f639017bc9bbd71a7c5772adc1545ca83ec0
RANGER-3632: accesslog RENAME_ON_ROTATE, del log4j remains
7f81994d9bcfd29f07a18ab3554204dff5cbe4b6
RANGER-3631: logback.xml updated to fix incorrect format, set maxHistory=15 and
cleanHistoryOnStart=true
54d491cdee6f2704b7862e45c03317fc8536bf68
RANGER-3498 : RANGER : Remove log4j1 dependencies.
cec500b00e6c979196b6a1ed59df5817dc25e204
RANGER-3498: replaced use of org.apache.log4j and org.apache.commons.logging
with org.slf4j {code}
Way 2: upgrade log4j2 to latest 2.17.2,
You can refer to this commit and rewrite a commit.
{code:java}
ac27d800e1494ee045cc374252799d50fdfbc060
RANGER-3547:Upgrade to use log4j 2.16.0+ version to ensure that we are using
supported version of log4j {code}
> Upgrade spring to 5.3.18 CVE-2022-22965
> ---------------------------------------
>
> Key: RANGER-3691
> URL: https://issues.apache.org/jira/browse/RANGER-3691
> Project: Ranger
> Issue Type: Bug
> Components: admin, kms
> Reporter: kirby zhou
> Assignee: kirby zhou
> Priority: Blocker
> Fix For: 3.0.0
>
>
> [https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965]
> [https://github.com/spring-projects/spring-framework/releases]
>
> Spring has a new 0day Remote-Code-Execution problem, related to spring-beans
> and JDK9+
> Fixed at spring 5.3.18 / 5.2.20
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
