Luke Sun created STORM-3808:
-------------------------------
Summary: Bump log4j version to 2.15.0
Key: STORM-3808
URL: https://issues.apache.org/jira/browse/STORM-3808
Project: Apache Storm
Issue Type: Improvement
Reporter: Luke Sun
For CVE-2021-44228 to bump log4j 2.15.0
{code:java}
News
CVE-2021-44228
The Log4j team has been made aware of a security vulnerability, CVE-2021-44228,
that has been addressed in Log4j 2.15.0.
Log4j’s JNDI support has not restricted what names could be resolved. Some
protocols are unsafe or can allow remote code execution. Log4j now limits the
protocols by default to only java, ldap, and ldaps and limits the ldap
protocols to only accessing Java primitive objects by default served on the
local host.
One vector that allowed exposure to this vulnerability was Log4j’s allowance of
Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now
disabled by default. While an option has been provided to enable Lookups in
this fashion, users are strongly discouraged from enabling it.
For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior can
be mitigated by setting either the system property log4j2.formatMsgNoLookups or
the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases
>=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the
message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9
and <=2.10.0, the mitigation is to remove the JndiLookup class from the
classpath: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class.
{code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
