-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to log4j 2.16.0. #12061
Update to log4j 2.16.0. #12061
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 after license check job passes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 LGTM
"(We don't ship with any JNDI features enabled.)" this operation should be OK? will not affect the druid cluster functions? |
@hzluyang removing the JndiLookup class from the log4j-core jar is OK. We tested doing that, and Druid still works fine afterwards. |
Which version will include that 2.16 ? next 0.22.2 ? |
I'm waiting for 0.22.2 too ;) |
* Update to log4j 2.16.0. * Update licenses.yaml
* Update to log4j 2.16.0. * Update licenses.yaml
Summary: Upgrade log4j to 2.16 Pulls upstream: apache#12061 According to the description of the upstream PR, we should be safe with 2.15 but it's good to upgrade. Reviewers: O1139 Druid, yyang Reviewed By: O1139 Druid, yyang Subscribers: jenkins, shawncao, #realtime-analytics Differential Revision: https://phabricator.pinadmin.com/D824772
* Update to log4j 2.16.0. * Update licenses.yaml
* Update to log4j 2.16.0. * Update licenses.yaml
Log4j 2.16.0 is further hardened and makes it impossible for users to stumble into a configuration that is vulnerable to the CVE-2021-44228 issue. I don't think this is a fire-drill update, because Druid 0.22.1+ with Log4j 2.15.0 is not vulnerable in its default configuration. (We don't ship with any JNDI features enabled.) But the additional hardening would be beneficial to our users.
See announcement at: https://lists.apache.org/thread/t72msv9cpxw9q5zw8rfkhx52v24z57f1