Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to log4j 2.16.0. #12061

Merged
merged 2 commits into from
Dec 14, 2021
Merged

Update to log4j 2.16.0. #12061

merged 2 commits into from
Dec 14, 2021

Conversation

gianm
Copy link
Contributor

@gianm gianm commented Dec 13, 2021
edited
Loading

Log4j 2.16.0 is further hardened and makes it impossible for users to stumble into a configuration that is vulnerable to the CVE-2021-44228 issue. I don't think this is a fire-drill update, because Druid 0.22.1+ with Log4j 2.15.0 is not vulnerable in its default configuration. (We don't ship with any JNDI features enabled.) But the additional hardening would be beneficial to our users.

See announcement at: https://lists.apache.org/thread/t72msv9cpxw9q5zw8rfkhx52v24z57f1

suneet-s
suneet-s approved these changes Dec 13, 2021
View reviewed changes
Copy link
Contributor

@suneet-s suneet-s left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 after license check job passes

asdf2014
asdf2014 approved these changes Dec 14, 2021
View reviewed changes
Copy link
Member

@asdf2014 asdf2014 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 LGTM

@gianm gianm merged commit d917e04 into apache:master Dec 14, 2021
@gianm gianm deleted the log4j-2.16.0 branch December 14, 2021 03:06
@hzluyang
Copy link

"(We don't ship with any JNDI features enabled.)"
I don't want to upgrade druid verison, so I plan to delete jndilookup in older release like 0.20.1 to avoid this CVE-2021-44228 issue like this
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
in apache-druid-0.20.1/lib/log4j-core-2.8.2.jar

this operation should be OK? will not affect the druid cluster functions?

@gianm
Copy link
Contributor Author

gianm commented Dec 15, 2021

@hzluyang removing the JndiLookup class from the log4j-core jar is OK. We tested doing that, and Druid still works fine afterwards.

@GElkayam GElkayam mentioned this pull request Dec 15, 2021
Merged
@OliveBZH
Copy link

Which version will include that 2.16 ? next 0.22.2 ?

@MarcinVV
Copy link

I'm waiting for 0.22.2 too ;)

nikhil-ddu pushed a commit to twitter-forks/druid that referenced this pull request Dec 17, 2021
@gianm
Update to log4j 2.16.0. (apache#12061)
3226fee 
* Update to log4j 2.16.0.

* Update licenses.yaml
nikhil-ddu pushed a commit to twitter-forks/druid that referenced this pull request Dec 17, 2021
@gianm
Update to log4j 2.16.0. (apache#12061)
b6902c3 
* Update to log4j 2.16.0.

* Update licenses.yaml
@abhishekagarwal87 abhishekagarwal87 added this to the 0.23.0 milestone May 11, 2022
debasatwa29 pushed a commit to debasatwa29/druid that referenced this pull request Jun 2, 2022
Upgrade log4j to 2.16
78f0ab4 
Summary:
Upgrade log4j to 2.16

Pulls upstream:
apache#12061

According to the description of the upstream PR, we should be safe with 2.15 but it's good to upgrade.

Reviewers: O1139 Druid, yyang

Reviewed By: O1139 Druid, yyang

Subscribers: jenkins, shawncao, #realtime-analytics

Differential Revision: https://phabricator.pinadmin.com/D824772
ruchinkabra pushed a commit to twitter-forks/druid that referenced this pull request Jun 13, 2022
@gianm
Update to log4j 2.16.0. (apache#12061)
cc9f8de 
* Update to log4j 2.16.0.

* Update licenses.yaml
anishanagarajan pushed a commit to twitter-forks/druid that referenced this pull request Sep 23, 2022
@gianm
Update to log4j 2.16.0. (apache#12061)
0195c98 
* Update to log4j 2.16.0.

* Update licenses.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clintropolis clintropolis clintropolis approved these changes

@jihoonson jihoonson jihoonson approved these changes

@asdf2014 asdf2014 asdf2014 approved these changes

@suneet-s suneet-s suneet-s approved these changes

Assignees
No one assigned
Labels
Area - Dependencies
Projects
None yet
Milestone
0.23.0
Development

Successfully merging this pull request may close these issues.
9 participants
@gianm @hzluyang @OliveBZH @MarcinVV @clintropolis @jihoonson @asdf2014 @suneet-s @abhishekagarwal87