New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CVE-2021-44228 mitigation for ES #2892
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thank you @FlorianHockmann.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM and thank you for fixing this!
I have to admit that I haven't tested the change yesterday when I created the PR as I was a bit in a hurry but wanted to get a PR ready for review with this fix. I am therefore personally leaning towards only releasing a fix for 0.6, given the effort required for the What do others think about this? |
24d96cc
to
6cbd4ad
Compare
|
This only mitigates the CVE for ES included the pre-packaged distribution. Users who maintain their own ES (or Solr) installation, need to apply the mitigation there by themselves. More information about how JanusGraph is affected by the CVE can be found here: https://lists.lfaidata.foundation/g/janusgraph-users/message/6272 The mitigation is recommended in the summary provided by Elasticsearch: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 Fixes #2891 Signed-off-by: Florian Hockmann <fh@florian-hockmann.de>
6cbd4ad
to
16a7676
Compare
I changed the base branch to |
This only mitigates the CVE for ES included the pre-packaged distribution. Users who maintain their own ES (or Solr) installation, need to apply the mitigation there by themselves.
The mitigation is recommended in the summary provided by Elasticsearch:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
Fixes #2891
Thank you for contributing to JanusGraph!
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
For all changes:
master
)?For code changes:
For documentation related changes: