From a05e4f51f395c3993a8be632b7b471f992f545fd Mon Sep 17 00:00:00 2001 From: Helen Yang Date: Mon, 13 Dec 2021 11:28:12 -0800 Subject: [PATCH 1/4] Update log4j2 --- CHANGELOG.md | 3 +++ gradle.properties | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4264d9e3162..54c23e48647 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # CHANGELOG +# Version 2.6.4 +* Upgrade log4j2 appender from 2.11.0 to 2.15.0. + # Version 2.6.3 * Update xstream dependency [#1580](https://github.com/microsoft/ApplicationInsights-Java/issues/1479) * Upgrade gradle from 5.5.1 to 6.8.3 diff --git a/gradle.properties b/gradle.properties index fbab2029578..8cb95980d95 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,3 +1,3 @@ // Project properties -version=2.6.3 +version=2.6.4 group=com.microsoft.azure \ No newline at end of file From ab2625541e600093da085993fe2f43ec614d26ab Mon Sep 17 00:00:00 2001 From: Helen Yang Date: Mon, 13 Dec 2021 12:00:54 -0800 Subject: [PATCH 2/4] Update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 54c23e48647..11f943c3642 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ # CHANGELOG # Version 2.6.4 -* Upgrade log4j2 appender from 2.11.0 to 2.15.0. +* Mitigate a critical Log4j RCE vulnerability[CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228). # Version 2.6.3 * Update xstream dependency [#1580](https://github.com/microsoft/ApplicationInsights-Java/issues/1479) From a752c2baebde914b18a218aa4e89d3534681944e Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Mon, 13 Dec 2021 15:23:17 -0800 Subject: [PATCH 3/4] Update CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 11f943c3642..171e8f76779 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,8 @@ # CHANGELOG # Version 2.6.4 -* Mitigate a critical Log4j RCE vulnerability[CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228). +* Update `applicationinsights-logging-log4j2` artifact to not pull in log4j2 dependency on its own. Users should already be bringing their own version of log4j2 (and should be upgrading that version or applying the mitigation steps from [CVE-2021-44228](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/)). The update ensures that users *have* to bring their own version of log4j. + ([#2002](https://github.com/microsoft/ApplicationInsights-Java/issues/2002)) # Version 2.6.3 * Update xstream dependency [#1580](https://github.com/microsoft/ApplicationInsights-Java/issues/1479) From 50ab7f8609c141a4df8d11a413c9a395de23383d Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Mon, 13 Dec 2021 15:24:12 -0800 Subject: [PATCH 4/4] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 171e8f76779..ce978ab996e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ # CHANGELOG # Version 2.6.4 -* Update `applicationinsights-logging-log4j2` artifact to not pull in log4j2 dependency on its own. Users should already be bringing their own version of log4j2 (and should be upgrading that version or applying the mitigation steps from [CVE-2021-44228](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/)). The update ensures that users *have* to bring their own version of log4j. +* Update `applicationinsights-logging-log4j2` artifact to not pull in log4j2 dependency on its own. Users should already be bringing their own version of log4j2 (and should be upgrading that version or applying the mitigation steps from [CVE-2021-44228](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/)). The update ensures that users *have* to bring their own version of log4j2. ([#2002](https://github.com/microsoft/ApplicationInsights-Java/issues/2002)) # Version 2.6.3