Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2021-44228] Upgrade to log4j2 2.15.0 #414

Closed
grgrzybek opened this issue Dec 10, 2021 · 6 comments
Closed

[CVE-2021-44228] Upgrade to log4j2 2.15.0 #414

grgrzybek opened this issue Dec 10, 2021 · 6 comments
Assignees
@grgrzybek
Labels
security type: task Task
Milestone
2.0.11

Comments

@grgrzybek
Copy link
Member

https://access.redhat.com/security/cve/CVE-2021-44228
https://issues.apache.org/jira/browse/LOG4J2-3198
https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0
https://issues.apache.org/jira/browse/LOG4J2-3201
apache/logging-log4j2#608
GHSA-jfh8-c2jp-5v3q
@grgrzybek
Copy link
Member Author

Workaround - set system property:

log4j2.formatMsgNoLookups = true

grgrzybek added a commit that referenced this issue Dec 10, 2021
@grgrzybek
[Fixes #414, CVE-2021-44228] Upgrade to Log4j2 2.15.0]
d8d7ec3
@grgrzybek grgrzybek self-assigned this Dec 10, 2021
@grgrzybek grgrzybek added this to the 2.0.11 milestone Dec 10, 2021
@grgrzybek grgrzybek mentioned this issue Dec 10, 2021
Closed
@Flole998 Flole998 mentioned this issue Dec 10, 2021
Closed
@grgrzybek
Copy link
Member Author

The releases are already available in Maven Central

Pax Logging's own security advisory is here: GHSA-xxfh-x98p-j8fr

@grgrzybek grgrzybek mentioned this issue Dec 10, 2021
Closed
@pklinef pklinef mentioned this issue Dec 14, 2021
Closed
4 tasks
@akhaware
Copy link

Should this be updated to 2.16.0? This has a improved fix over 2.15.0.

@grgrzybek
Copy link
Member Author

This issue was created (and resolved) few hours after the CVE discovery and Log4j2 2.15.0 release.
Then, after 2.16.0 was release, I've created, solved and deployed to Maven Central #416 .

@akhaware
Copy link

Thanks a lot for the fix and the confirmation.
On a side note, may I ask if org.ops4j.pax.logging project is used by the pax-exam-container-karaf project or the pax-jdbc-features project?
Thanks in advance.

@grgrzybek
Copy link
Member Author

Pax JDBC features are not installing Pax Logging features. What's more, Pax Logging project doesn't define any Karaf features, as the Pax Logging bundles should be provided by low-level bundles (usually ones specified in etc/startup.properties).

Pax Exam uses Pax Logging bundles and afaik, these are hardcoded in Pax Exam itself. However, if you have a look at how Pax Web uses Pax Exam, you'll find, that I use the manual configuration and configure everything (including Pax Logging) myself. See for example https://github.com/ops4j/org.ops4j.pax.web/blob/main/pax-web-itest/pax-web-itest-common/src/main/java/org/ops4j/pax/web/itest/AbstractControlledTestBase.java#L143-L171

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@grgrzybek grgrzybek

Labels
security type: task Task
Projects
None yet
Milestone
2.0.11
Development

No branches or pull requests
2 participants
@grgrzybek @akhaware