Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade log4j-core version to fix CVE-2021-45105 #617

Merged
merged 1 commit into from
Dec 20, 2021
Merged

Upgrade log4j-core version to fix CVE-2021-45105 #617

merged 1 commit into from
Dec 20, 2021

Conversation

skjelmo
Copy link
Contributor

@skjelmo skjelmo commented Dec 18, 2021
edited

Overview

This PR upgrades log4j-core to the latest version (2.17.0) to protect from uncontrolled recursion from self-referential lookups, fixing CVE-2021-45105 relevant for Java 8 and later.

References:
https://logging.apache.org/log4j/2.x/security.html
https://issues.apache.org/jira/browse/LOG4J2-3230

Related Github Issue

#605

Related PR

#603
#610

@skjelmo skjelmo changed the title Upgrade log4j-core version bump to fix CVE-2021-45105 Upgrade log4j-core version to fix CVE-2021-45105 Dec 18, 2021
@yrsurya
Copy link

yrsurya commented Dec 19, 2021

Any ETA when this going to be released?

@yrsurya
Copy link

yrsurya commented Dec 19, 2021

We are in process of updating our APM agent for nearly ~1000 apps , it would be nice if we can have any update on releasing new version so that we don't need to redeploy again to pick up new version .

Thanks for approving @meiao

@yrsurya
Copy link

yrsurya commented Dec 20, 2021

@skjelmo looks like it failing checks

@mattpull
Copy link

mattpull commented Dec 20, 2021
edited

@skjelmo looks like it failing checks

@yrsurya - Looks like checks have passed now.

@chukka
Copy link

chukka commented Dec 20, 2021

@meiao @skjelmo waiting for this to be merged and new version to be released

byjay
byjay approved these changes Dec 20, 2021
View reviewed changes
Copy link

@byjay byjay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@meiao meiao merged commit c88cdab into newrelic:main Dec 20, 2021
meiao pushed a commit that referenced this pull request Dec 20, 2021
@skjelmo @meiao
Bump log4j-core to 2.17 (#617)
2b56340
@j00ris
Copy link

j00ris commented Dec 20, 2021

Any plans for upgrading 6.5.2 to Log4j 2.12.3 ?

@michael-j-oreilly
Copy link

@meiao see @j00ris question above, any plans for updating 6.5.2? If so any ideas on timeframe? Thanks

@meiao
Copy link
Contributor

meiao commented Dec 20, 2021

We will release a 6.5.3 with log4j 2.12.3 when it is available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@meiao meiao meiao approved these changes

@limsangjin12 limsangjin12 limsangjin12 approved these changes

@byjay byjay byjay approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@skjelmo @yrsurya @mattpull @chukka @j00ris @michael-j-oreilly @meiao @limsangjin12 @byjay