-
-
Notifications
You must be signed in to change notification settings - Fork 388
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
log4j version vulnerable to CVE-2021-44228 #708
Comments
thanks for the heads up @anthonyjmartinez. do i understand it correctly, that with the new dependency version disabling property is not needed because it becomes the default? |
@goekay - You're welcome. As for the removal of JNDI, I can't say for sure. JNDI is exploited frequently and I believe that if it is not strictly needed it should be explicitly disabled to protect against possible regressions later down the line. Having been bitten by mistakenly believing one thing was a default when it wasn't more than a few times I always favor being explicit when possible. |
agreed in principle. however, when i dug deeper i found that this flag sources:
|
the changes are merged and i made a new release because of the importance of this. thanks @anthonyjmartinez ! |
@goekay - this appears to be the gift that keeps on giving https://logging.apache.org/log4j/2.x/security.html has notice of a new CVE related to the previous and mitigated by using 2.16.0. Do you want me to create another issue? updated to add direct link to the new CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 |
@anthonyjmartinez thanks for following this topic :) apparently, @benvia has a PR already, thanks! |
Checklist
Specifications
Expected Behavior
SteVe operates without dependency on libraries with published high-severity CVE
Actual Behavior
SteVe operates with dependency on libraries with published high-severity CVE
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
and also https://logging.apache.org/log4j/2.x/security.html
...
Steps to Reproduce the Problem
N/A
Additional context
Recommend to a) disable JNDI entirely in the log4j config, and b) bump the version for the dependency on log4j to 2.15.0+
...
The text was updated successfully, but these errors were encountered: