Kiwi R3 2021 - Log4j vulnerability verification and correction

Description

The 'formatMsgNoLookups' property was added in version 2.10.0, per the JIRA Issue LOG4J2-2109 that proposed it. Therefore the 'formatMsgNoLookups=true' mitigation strategy is available in version 2.10.0 and higher, but is no longer necessary with version 2.16.0, because it then becomes the default behavior .

Other comments:

mod-ldp doesn't use log4j

Environment

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Kurt Nordstrom December 17, 2021 at 9:43 PM

I have evaluated the dependencies for mod-ldp and we are currently not using log4j in any fashion (Spring Boot uses logback unless told to do otherwise), so no code changes will be required at this time.

Charlotte Whitt December 16, 2021 at 4:09 PM

Hi @Kurt Nordstrom - @Oleksii Petrenko just announced that the deadline for this work for the Kiwi release is Friday 12/17/2021. Will that work okay for you?

CC: @Mike Gorrell

Done

Details

Assignee

Kurt Nordstrom

Reporter

Oleksii Petrenko

Labels

back-end

Priority

Development Team

Thor

Parent

FOLREL-505 R3 2021 Kiwi - Log4j update

Release

R3 2021 Bug Fix

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created December 14, 2021 at 12:04 PM

Updated December 17, 2021 at 9:43 PM

Resolved December 17, 2021 at 9:43 PM

Configure

TestRail: Cases

TestRail: Runs

mod-ldp

Kiwi R3 2021 - Log4j vulnerability verification and correction

Description

Environment

Potential Workaround

Checklist

TestRail: Results

Activity

Kurt Nordstrom December 17, 2021 at 9:43 PM

Charlotte Whitt December 16, 2021 at 4:09 PM

Details

Assignee

Reporter

Labels

Priority

Development Team

Parent

Release

TestRail: Cases

TestRail: Runs

Flag notifications

Something's gone wrong