Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Log4j Security Vulnerabilities #1604

Merged
merged 1 commit into from
Dec 22, 2021
Merged

fix: Log4j Security Vulnerabilities #1604

merged 1 commit into from
Dec 22, 2021

Conversation

HAHH9527
Copy link
Contributor

What this PR dose

升级log4j依赖至2.17.0

Why we need it?

在非默认配置下(例如:$${ctx:loginId})攻击者可以手动创建包含递归查找的恶意输入数据,导致StackOverflowError。
2.17.0 删除了 JNDI 对 LDPA 协议的支持。

How to test it?

所有log4j依赖均已替换

PS E:\Halo Dev\halo> .\gradlew.bat dependencies | findstr log4j
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 -> 2.17.0
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.17.0          
|    +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.17.0               
|    |    \--- org.apache.logging.log4j:log4j-api:2.17.0                    
|    \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.17.0                
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 -> 2.17.0
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.17.0          
|    +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.17.0               
|    |    \--- org.apache.logging.log4j:log4j-api:2.17.0                    
|    \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.17.0                
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 -> 2.17.0
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.17.0          
|    +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.17.0               
|    |    \--- org.apache.logging.log4j:log4j-api:2.17.0                    
|    \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.17.0                
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 -> 2.17.0
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.17.0          
|    +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.17.0               
|    |    \--- org.apache.logging.log4j:log4j-api:2.17.0
|    \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.17.0
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 -> 2.17.0
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.17.0
|    +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.17.0
|    |    \--- org.apache.logging.log4j:log4j-api:2.17.0
|    \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.17.0

@HAHH9527
fix: Log4j Security Vulnerabilities
01f3867 
update Log4j version to 2.17.0
- CVE-2021-45105 Fixed in Log4j 2.17.0 (Java 8)
- CVE-2021-45046 Fixed in Log4j 2.16.0 (Java 8)
@JohnNiang JohnNiang added the dependencies Pull requests that update a dependency file label Dec 22, 2021
@JohnNiang JohnNiang added this to the 1.4.x milestone Dec 22, 2021
@ruibaby ruibaby merged commit 201e934 into halo-dev:master Dec 22, 2021
@ruibaby
Copy link
Member

ruibaby commented Dec 22, 2021

Thanks for your first contribution~

@JohnNiang
Copy link
Member

@ruibaby we need to cherry pick this commit into release-1.4.

@ruibaby
Copy link
Member

ruibaby commented Dec 22, 2021

@ruibaby we need to cherry pick this commit into release-1.4.

processing~

@ruibaby ruibaby mentioned this pull request Dec 22, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guqing guqing guqing approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
1.4.x
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@HAHH9527 @ruibaby @JohnNiang @guqing