[ https://issues.apache.org/jira/browse/STORM-3808?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ethan Li closed STORM-3808. --------------------------- > Bump log4j version to 2.16.0 (original ticket was 2.15.0) > --------------------------------------------------------- > > Key: STORM-3808 > URL: https://issues.apache.org/jira/browse/STORM-3808 > Project: Apache Storm > Issue Type: Improvement > Reporter: Luke Sun > Priority: Major > > For CVE-2021-44228 to bump log4j 2.15.0 > {code:java} > News > CVE-2021-44228 > The Log4j team has been made aware of a security vulnerability, > CVE-2021-44228, that has been addressed in Log4j 2.15.0. > Log4j’s JNDI support has not restricted what names could be resolved. Some > protocols are unsafe or can allow remote code execution. Log4j now limits the > protocols by default to only java, ldap, and ldaps and limits the ldap > protocols to only accessing Java primitive objects by default served on the > local host. > One vector that allowed exposure to this vulnerability was Log4j’s allowance > of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now > disabled by default. While an option has been provided to enable Lookups in > this fashion, users are strongly discouraged from enabling it. > For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior can > be mitigated by setting either the system property log4j2.formatMsgNoLookups > or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases > >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the > message converter as %m{nolookups} instead of just %m. For releases > >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class > from the classpath: zip -q -d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class. > {code} -- This message was sent by Atlassian Jira (v8.20.1#820001)