Skip to content

log4j version upgrade for CVE-2021-44228 #726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 12, 2021
Merged

log4j version upgrade for CVE-2021-44228 #726

merged 1 commit into from
Dec 12, 2021

Conversation

@yakirgb
Copy link
Contributor

@yakirgb yakirgb commented Dec 12, 2021

Fixes #725
Upgrade log4j-core from 2.1 to 2.15.0

@Yakir-Taboola
log4j version upgrade for CVE-2021-44228
99d7925 
Fixes prometheus#725

Signed-off-by: Yakir Gibraltar <yakir.g@taboola.com>
fstab
fstab approved these changes Dec 12, 2021
View reviewed changes
Copy link
Member

@fstab fstab left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, it's merged.

However: simpleclient_log4j2 gets metrics out of log4j2, but it does not log with log4j2. So simpleclient_log4j2 is not affected by the CVE.

Anyway, as people will likely scan their dependencies for old log4j2 versions, I will release this soon so that simpleclient_log4j2 does not pop up as a false security alert.

@fstab fstab merged commit a472ca5 into prometheus:master Dec 12, 2021
@fstab fstab mentioned this pull request Dec 12, 2021
Closed
@LeviHarrison LeviHarrison mentioned this pull request Dec 13, 2021
Closed
@desjardd1
Copy link

desjardd1 commented Dec 17, 2021

Hello is there a place to see if 2.16 has been deployed. 2.15 is still vulnerable (critical). Thanks

@fstab
Copy link
Member

fstab commented Dec 17, 2021

Hi, I just updated to 2.16. It will be in the next release, which will come soon as we also want to release the SSL support for the HTTPServer.

That being said: With rel 0.13.0 we marked the log4j dependency in simpleclient_log4j2 as provided. That means simpleclient_log4j2 does not ship with log4j. Instead, it will use whatever log4j version is provided by the application being monitored.

If you monitor an application that still uses log4j 2.14.1 you will be vulnerable even if you use the current simpleclient_log4j2 for monitoring. If you monitor an application that is up-to-date with log4j 2.16.0 simpleclient_log4j2 will use 2.16.0 even though the current release was built with 2.15.0.

@fstab
Copy link
Member

fstab commented Dec 18, 2021

I just released 0.14.0 with a log4j update to 2.16.0.

As said above, at runtime simpleclient_log4j2 uses the log4j version that ships with the monitored application, so it is more important to make sure that the application you want to monitor ships with an up-to-date log4j. However, the dependency triggers some security scanners so I released the update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fstab fstab fstab approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

log4j version upgrade for CVE-2021-44228

4 participants

@yakirgb @desjardd1 @fstab @Yakir-Taboola