Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

upgrade log4j2 to 2.16.0 #9433

Merged
merged 1 commit into from Dec 17, 2021
Merged

upgrade log4j2 to 2.16.0 #9433

merged 1 commit into from Dec 17, 2021

Conversation

wuwen5
Copy link
Contributor

@wuwen5 wuwen5 commented Dec 17, 2021

What is the purpose of the change

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

@codecov-commenter
Copy link

@codecov-commenter codecov-commenter commented Dec 17, 2021

Codecov Report

Merging #9433 (3793e26) into master (578bfcb) will increase coverage by 0.01%.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff              @@
##             master    #9433      +/-   ##
============================================
+ Coverage     60.81%   60.82%   +0.01%     
+ Complexity      446      445       -1     
============================================
  Files          1100     1100              
  Lines         44515    44515              
  Branches       6477     6477              
============================================
+ Hits          27070    27078       +8     
+ Misses        14472    14470       -2     
+ Partials       2973     2967       -6     
Impacted Files Coverage Δ
...ntext/event/AwaitingNonWebApplicationListener.java 48.48% <0.00%> (-24.25%) ⬇️
...he/dubbo/remoting/transport/netty/NettyServer.java 70.17% <0.00%> (-3.51%) ⬇️
...ting/zookeeper/curator/CuratorZookeeperClient.java 67.79% <0.00%> (-1.13%) ⬇️
...ng/transport/dispatcher/all/AllChannelHandler.java 89.65% <0.00%> (ø)
...apache/dubbo/common/extension/ExtensionLoader.java 81.31% <0.00%> (+0.21%) ⬆️
...dubbo/remoting/exchange/support/DefaultFuture.java 89.18% <0.00%> (+0.90%) ⬆️
.../exchange/support/header/HeaderExchangeServer.java 69.52% <0.00%> (+1.90%) ⬆️
...a/org/apache/dubbo/monitor/dubbo/DubboMonitor.java 88.57% <0.00%> (+1.90%) ⬆️
...pache/dubbo/registry/support/AbstractRegistry.java 80.74% <0.00%> (+2.59%) ⬆️
...ubbo/registry/support/AbstractRegistryFactory.java 83.09% <0.00%> (+2.81%) ⬆️
... and 4 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 578bfcb...3793e26. Read the comment docs.

Copy link
Member

@CrazyHZM CrazyHZM left a comment

LGTM

guohao
guohao approved these changes Dec 17, 2021
Copy link
Contributor

@guohao guohao left a comment

LGTM

@CrazyHZM CrazyHZM mentioned this pull request Dec 17, 2021
8 tasks
@CrazyHZM CrazyHZM merged commit daeeeb7 into apache:master Dec 17, 2021
10 checks passed
@justinmclean
Copy link
Member

@justinmclean justinmclean commented Dec 18, 2021

2.17.0 is out you would probably want to use that instead.

@AlbumenJ
Copy link
Member

@AlbumenJ AlbumenJ commented Dec 22, 2021

2.17.0 is out you would probably want to use that instead.

Upgrade to 2.17.0 in #9444.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants