critical security vulnerability for /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar

classic Classic list List threaded Threaded
5 messages Options
Andrew Story Andrew Story
Reply | Threaded
Open this post in threaded view
|

critical security vulnerability for /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar

Would it be possible in the next release of Ignite to upgrade the 3rd party
component
/opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar to
log4j-core-2.13.3.jar?

This component log4j-1.2.17.jar is flagged as having a critical security
vulnerability which is described here:
https://nvd.nist.gov/vuln/detail/CVE-2019-17571

The latest version of this component appears to be 2.13.3 which should
resolve the vulnerability:
https://logging.apache.org/log4j/2.x/download.html.

Thanks,

Andrew Story




--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
ilya.kasnacheev ilya.kasnacheev
Reply | Threaded
Open this post in threaded view
|

Re: critical security vulnerability for /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar

Hello!

Log4J 1.x does not have any non-vulnerable releases, and Log4J2 is not binary compatible.

You can sidestep this by not including ignite-log4j module and instead resorting to ignite-log4j2.

Regards,
--
Ilya Kasnacheev


сб, 19 сент. 2020 г. в 01:47, Andrew Story <[hidden email]>:
Would it be possible in the next release of Ignite to upgrade the 3rd party
component
/opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar to
log4j-core-2.13.3.jar?

This component log4j-1.2.17.jar is flagged as having a critical security
vulnerability which is described here:
https://nvd.nist.gov/vuln/detail/CVE-2019-17571

The latest version of this component appears to be 2.13.3 which should
resolve the vulnerability:
https://logging.apache.org/log4j/2.x/download.html.

Thanks,

Andrew Story




--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
stephendarlington stephendarlington
Reply | Threaded
Open this post in threaded view
|

Re: critical security vulnerability for /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar

Actually, this is an interesting one: it’s not the top level ignite-log4j module, but a dependency of ignite-rest-http. Why does the REST API have log4j (and slf4j) dependencies at all?

On 21 Sep 2020, at 10:19, Ilya Kasnacheev <[hidden email]> wrote:

Hello!

Log4J 1.x does not have any non-vulnerable releases, and Log4J2 is not binary compatible.

You can sidestep this by not including ignite-log4j module and instead resorting to ignite-log4j2.

Regards,
--
Ilya Kasnacheev


сб, 19 сент. 2020 г. в 01:47, Andrew Story <[hidden email]>:
Would it be possible in the next release of Ignite to upgrade the 3rd party
component
/opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar to
log4j-core-2.13.3.jar?

This component log4j-1.2.17.jar is flagged as having a critical security
vulnerability which is described here:
https://nvd.nist.gov/vuln/detail/CVE-2019-17571

The latest version of this component appears to be 2.13.3 which should
resolve the vulnerability:
https://logging.apache.org/log4j/2.x/download.html.

Thanks,

Andrew Story




--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/


ilya.kasnacheev ilya.kasnacheev
Reply | Threaded
Open this post in threaded view
|

Re: critical security vulnerability for /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar

Hello!

Good catch! I think you should file a critical level ticket about it.

Regards,
--
Ilya Kasnacheev


пн, 21 сент. 2020 г. в 12:56, Stephen Darlington <[hidden email]>:
Actually, this is an interesting one: it’s not the top level ignite-log4j module, but a dependency of ignite-rest-http. Why does the REST API have log4j (and slf4j) dependencies at all?

On 21 Sep 2020, at 10:19, Ilya Kasnacheev <[hidden email]> wrote:

Hello!

Log4J 1.x does not have any non-vulnerable releases, and Log4J2 is not binary compatible.

You can sidestep this by not including ignite-log4j module and instead resorting to ignite-log4j2.

Regards,
--
Ilya Kasnacheev


сб, 19 сент. 2020 г. в 01:47, Andrew Story <[hidden email]>:
Would it be possible in the next release of Ignite to upgrade the 3rd party
component
/opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar to
log4j-core-2.13.3.jar?

This component log4j-1.2.17.jar is flagged as having a critical security
vulnerability which is described here:
https://nvd.nist.gov/vuln/detail/CVE-2019-17571

The latest version of this component appears to be 2.13.3 which should
resolve the vulnerability:
https://logging.apache.org/log4j/2.x/download.html.

Thanks,

Andrew Story




--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/


stephendarlington stephendarlington
Reply | Threaded
Open this post in threaded view
|

Re: critical security vulnerability for /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar

https://issues.apache.org/jira/browse/IGNITE-13464

On 21 Sep 2020, at 11:02, Ilya Kasnacheev <[hidden email]> wrote:

Hello!

Good catch! I think you should file a critical level ticket about it.

Regards,
--
Ilya Kasnacheev


пн, 21 сент. 2020 г. в 12:56, Stephen Darlington <[hidden email]>:
Actually, this is an interesting one: it’s not the top level ignite-log4j module, but a dependency of ignite-rest-http. Why does the REST API have log4j (and slf4j) dependencies at all?

On 21 Sep 2020, at 10:19, Ilya Kasnacheev <[hidden email]> wrote:

Hello!

Log4J 1.x does not have any non-vulnerable releases, and Log4J2 is not binary compatible.

You can sidestep this by not including ignite-log4j module and instead resorting to ignite-log4j2.

Regards,
--
Ilya Kasnacheev


сб, 19 сент. 2020 г. в 01:47, Andrew Story <[hidden email]>:
Would it be possible in the next release of Ignite to upgrade the 3rd party
component
/opt/ignite/apache-ignite/libs/optional/ignite-rest-http/log4j-1.2.17.jar to
log4j-core-2.13.3.jar?

This component log4j-1.2.17.jar is flagged as having a critical security
vulnerability which is described here:
https://nvd.nist.gov/vuln/detail/CVE-2019-17571

The latest version of this component appears to be 2.13.3 which should
resolve the vulnerability:
https://logging.apache.org/log4j/2.x/download.html.

Thanks,

Andrew Story




--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/