DynamoDBLocal uses vulnerable log4j

[iviraj90]

Describe the issue

DynamoDBLocal uses vulnerable log4j. in latest version i.e. 1.15.0
When can we expect it to be fixed
Please let me know if this is not correct place to ask

Steps to Reproduce

Current behavior

AWS Java SDK version used

1.11.907

JDK version used

1.11

Operating System and version

windows

[debora-ito]

@iviraj90 the DynamoDBLocal library is owned by the DynamoDB team, I will reach out to them and ask for a status update.

[tkarnaAWS]

@iviraj90 we rebuilt the log4j library with an internal binary.
to upgrade to the 1.17.1 which is out right now for the patch!
even though it says that log4j is 2.13.3 version, we built that version using internal binaries that we validated using an external process.

[iviraj90]

does it means 1.17.1 will have non vulnerable log4j 2.13.3?
Also When can we expect 1.17.1 to be on maven repository https://mvnrepository.com/artifact/com.amazonaws/DynamoDBLocal?repo=dynamodb-local-release

[tkarnaAWS]

yes 1.17.1 will have non vulnerable log4j 2.13.3

and it is released on Maven right now even if it doesn't show up on the website, for some reason it doesn't captured properly.

But if they specify:
[1.12,2.0)
or
1.17.1
it will pull the latest update, or use the specified version

This can be checked by

cd ~
cd .m2
open .

And then under repository > com > amazonaws > DynamoDBLocal > there will be a folder showing 1.17.1, showing that it pulled the latest update successfully to their local machine.

[debora-ito]

@iviraj90 let us know if you have follow-up questions.

[iviraj90]

Thank you.
Unfortunately, as of now , I could not download 1.17.1 from maven.
But where I can find official documentation regarding this patch (about log4) ?

[debora-ito]

@iviraj90 you need to add the custom DynamoDB Local Release Repository to the pom.xml:

<!--Custom repository:-->
<repositories>
    <repository>
       <id>dynamodb-local-oregon</id>
       <name>DynamoDB Local Release Repository</name>
       <url>https://s3-us-west-2.amazonaws.com/dynamodb-local/release</url>
    </repository>
</repositories>

<dependencies>
    <dependency>
       <groupId>com.amazonaws</groupId>
       <artifactId>DynamoDBLocal</artifactId>
       <version>1.17.1</version>
    </dependency>
</dependencies>

For repo URLs in other aws regions, check https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBLocal.DownloadingAndRunning.html

I don't see any instructions on the official documentation about this patch specifically, will ask the documentation team to make it more clear.