[jira] [Commented] (JAMES-3685) upgrade to log4j 2.16.0
[ https://issues.apache.org/jira/browse/JAMES-3685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459925#comment-17459925 ] Benoit Tellier commented on JAMES-3685: --- +1 but in a separate 3.6.2 release. One reason is that we should not delay the most important fix. Another is that it is already the second release build out of many, in my vacation, with a 6 month old baby. Would appreciate other committers / PMC members to help in the effort. > upgrade to log4j 2.16.0 > --- > > Key: JAMES-3685 > URL: https://issues.apache.org/jira/browse/JAMES-3685 > Project: James Server > Issue Type: Improvement > Components: James Core >Reporter: PJ Fanning >Priority: Major > > https://mail-archives.apache.org/mod_mbox/www-announce/202112.mbox/%3CCACmp6ko9BevS%2BdKLPRon1sC9Aiz%3Ded7S1qpuqmE8c8U8Wr2u7Q%40mail.gmail.com%3E -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org
[jira] [Commented] (JAMES-3685) upgrade to log4j 2.16.0
[
https://issues.apache.org/jira/browse/JAMES-3685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459669#comment-17459669
]
Bernd Bartke commented on JAMES-3685:
-
+1 to upgrade to Log4J 2.16.0
... if not switching logging library. But thats another issue.
[CVE-2021-45046|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046]
Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern
vulnerable to a denial of service attack.
Severity: Moderate
[Apache Log4j Security
Vulnerabilities|https://logging.apache.org/log4j/2.x/security.html]
Description:
{quote}
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was
incomplete in certain non-default configurations. This could allows attackers
with control over Thread Context Map (MDC) input data when the logging
configuration uses a non-default Pattern Layout with either a Context Lookup
(for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or
%MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a
denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to
localhost by default. Note that previous mitigations involving configuration
such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT
mitigate this specific vulnerability.
{quote}
Log4j 2.16.0 fixes this issue by removing support for message lookup patterns
and disabling JNDI functionality by default.
> upgrade to log4j 2.16.0
> ---
>
> Key: JAMES-3685
> URL: https://issues.apache.org/jira/browse/JAMES-3685
> Project: James Server
> Issue Type: Improvement
> Components: James Core
>Reporter: PJ Fanning
>Priority: Major
>
> https://mail-archives.apache.org/mod_mbox/www-announce/202112.mbox/%3CCACmp6ko9BevS%2BdKLPRon1sC9Aiz%3Ded7S1qpuqmE8c8U8Wr2u7Q%40mail.gmail.com%3E
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
[jira] [Commented] (JAMES-3685) upgrade to log4j 2.16.0
[
https://issues.apache.org/jira/browse/JAMES-3685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459114#comment-17459114
]
Benoit Tellier commented on JAMES-3685:
---
According to Log4J 2.16.0 release notes...
{code:java}
While this change is recommended, it is NOT
required to fix CVE-2021-44228.
{code}
-> Nice to have!
> upgrade to log4j 2.16.0
> ---
>
> Key: JAMES-3685
> URL: https://issues.apache.org/jira/browse/JAMES-3685
> Project: James Server
> Issue Type: Improvement
> Components: James Core
>Reporter: PJ Fanning
>Priority: Major
>
> https://mail-archives.apache.org/mod_mbox/www-announce/202112.mbox/%3CCACmp6ko9BevS%2BdKLPRon1sC9Aiz%3Ded7S1qpuqmE8c8U8Wr2u7Q%40mail.gmail.com%3E
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
