-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2021-44228] Upgrade to log4j2 2.15.0 #414
Comments
Workaround - set system property:
|
The releases are already available in Maven Central Pax Logging's own security advisory is here: GHSA-xxfh-x98p-j8fr |
Should this be updated to 2.16.0? This has a improved fix over 2.15.0. |
This issue was created (and resolved) few hours after the CVE discovery and Log4j2 2.15.0 release. |
Thanks a lot for the fix and the confirmation. |
Pax JDBC features are not installing Pax Logging features. What's more, Pax Logging project doesn't define any Karaf features, as the Pax Logging bundles should be provided by low-level bundles (usually ones specified in etc/startup.properties). Pax Exam uses Pax Logging bundles and afaik, these are hardcoded in Pax Exam itself. However, if you have a look at how Pax Web uses Pax Exam, you'll find, that I use the manual configuration and configure everything (including Pax Logging) myself. See for example https://github.com/ops4j/org.ops4j.pax.web/blob/main/pax-web-itest/pax-web-itest-common/src/main/java/org/ops4j/pax/web/itest/AbstractControlledTestBase.java#L143-L171 |
https://access.redhat.com/security/cve/CVE-2021-44228
https://issues.apache.org/jira/browse/LOG4J2-3198
https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0
https://issues.apache.org/jira/browse/LOG4J2-3201
apache/logging-log4j2#608
GHSA-jfh8-c2jp-5v3q
The text was updated successfully, but these errors were encountered: