Address CVE-2021-45046 #3283

t83714 · 2021-12-17T01:57:49Z

Address CVE-2021-45046

See https://logging.apache.org/log4j/2.x/security.html for details.

As Mitigation options provided by log4j:

Mitigation
Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.

Log4j 2.x mitigation: Implement one of the mitigation techniques below.

Java 8 (or later) users should upgrade to release 2.16.0.
Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

We will upgrade our codebase to 2.16.0. For upstream projects (e.g. elasticsearch), we will remove JndiLookup class from our docker images.

The text was updated successfully, but these errors were encountered:

t83714 · 2021-12-17T04:38:08Z

closed via #3284
release https://github.com/magda-io/magda/releases/tag/v1.1.0-rc.1 is the first release that includes this fix.

t83714 added the bug label Dec 17, 2021

t83714 mentioned this issue Dec 17, 2021

Fix CVE 2021 45046 #3284

Merged

2 tasks

t83714 closed this as completed Dec 17, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Address CVE-2021-45046 #3283

Address CVE-2021-45046 #3283

t83714 commented Dec 17, 2021

t83714 commented Dec 17, 2021

Address CVE-2021-45046 #3283

Address CVE-2021-45046 #3283

Comments

t83714 commented Dec 17, 2021

Address CVE-2021-45046

t83714 commented Dec 17, 2021