Re: 0-day CVE in log4j

Vishwas Bm, I've found the same for the Zookeeper IP finder module. It seems to me that it must be fixed also. [1] https://github.com/apache/ignite/blob/master/modules/zookeeper/pom.xml#L114 On Mon, 20 Dec 2021 at 13:39, Vishwas Bm wrote: > > Correct url to rest-http module > >

Re: 0-day CVE in log4j

Correct url to rest-http module https://github.com/apache/ignite/blob/21f7ca41c4348909e2fd26ccf59b5b2ce1f4474e/modules/rest-http/pom.xml#L131 On Mon, 20 Dec, 2021, 16:06 Vishwas Bm, wrote: > Hi, > > Why is ignite rest module still using old log4j version dependency? > > >

Re: 0-day CVE in log4j

Hi, Why is ignite rest module still using old log4j version dependency? https://github.com/apache/ignite/blob/21f7ca41c4348909e2fd26ccf59b5b2ce1f4474e/modules/log4j/pom.xml#L46 Can this be removed ? There is a critical CVE against this package. Regards, Vishwas On Wed, 15 Dec, 2021, 12:57

Re: 0-day CVE in log4j

Hi folks, Ok i'm update log4j version 2.15 to 2.16 https://issues.apache.org/jira/browse/IGNITE-16127 On 15.12.2021 09:54, Pavel Tupitsyn wrote: Igniters, Looks like we need to update to 2.16, there is an additional attack vector [1] [1]

Re: 0-day CVE in log4j

Igniters, Looks like we need to update to 2.16, there is an additional attack vector [1] [1] https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/ On Mon, Dec 13, 2021 at 4:06 PM Maxim Muzafarov wrote: > Folks, > > Should we describe all the WA available for the issue [1]?

Re: 0-day CVE in log4j

Folks, Should we describe all the WA available for the issue [1]? There is already a lot of information about CVE, and nevertheless, it will not be superfluous. [1] https://issues.apache.org/jira/browse/IGNITE-16101 On Mon, 13 Dec 2021 at 15:37, Ivan Daschinsky wrote: > > Unfortunately, we

Re: 0-day CVE in log4j

Unfortunately, we need patch our Log4j2 adapter in order to work with log4j-2.15 So there is no choice other than to release 2.11.1 пн, 13 дек. 2021 г. в 15:21, Anton Vinogradov : > Folks, > > My 200 rubles here, > > I want to include it to the 2.12 scope. > Why not 2.11.1 as well? > We should

Re: 0-day CVE in log4j

+1 for the 2.11.1 On Mon, 13 Dec 2021 at 15:21, Anton Vinogradov wrote: > > Folks, > > My 200 rubles here, > > I want to include it to the 2.12 scope. > Why not 2.11.1 as well? > We should provide a fixed version for current customers asap. > 2.12 require migration, while 2.11.1 can be applied

Re: 0-day CVE in log4j

Folks, My 200 rubles here, > I want to include it to the 2.12 scope. Why not 2.11.1 as well? We should provide a fixed version for current customers asap. 2.12 require migration, while 2.11.1 can be applied as-is. On Mon, Dec 13, 2021 at 12:18 PM Stephen Darlington <

Re: 0-day CVE in log4j

Another workaround appears to be using the -Dlog4j2.formatMsgNoLookups=true option. Also, “Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack vector, at least in theory, because the JNDI can't load remote code using LDAP.”

Re: 0-day CVE in log4j

Hi Igniters, Preliminary: change of the log4j version does not affect any tests (Alexander Nikolaev, correct me if I'm wrong). If you're using embedded Ignite, it's perfectly possible to enforce jog4j2 dependency to be 2.15.0 in your project final pom.xml or build.gradle or any other build

Re: 0-day CVE in log4j

Hello. The issue to update dependency was created: https://issues.apache.org/jira/browse/IGNITE-16101 I want to include it to the 2.12 scope. сб, 11 дек. 2021 г., 09:19 Raymond Wilson : > All > > This blew up today: CVE-2021-44228 ( > >

0-day CVE in log4j

All This blew up today: CVE-2021-44228 ( https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/ ) Will there be a risk assessment with respect to Ignite for this CVE? Thanks, Raymond. -- Raymond Wilson