Doesn’t hurt to upgrade. But no exploit there as far as I can see? If someone can update your config files to point them to JNDI, you have worse problems than that. Like they can probably update your config files to just completely open up JMX access or what ever also.
> On Dec 14, 2021, at 9:17 AM, Brandon Williams <dri...@gmail.com> wrote: > > The POC seems to require the attacker be able to upload a file that > overwrites the configuration, with hot reloading enabled. We do have > hot reloading enabled but there's no inherent way to overwrite the > config. > > That said with logback currently at 1.2.3 (in trunk), perhaps we > should consider an upgrade for safety. > >> On Tue, Dec 14, 2021 at 8:50 AM Steinmaurer, Thomas >> <thomas.steinmau...@dynatrace.com.invalid> wrote: >> >> Any thoughts what the logback folks have been filed here? >> https://jira.qos.ch/browse/LOGBACK-1591 >> >> Thanks! >> >> -----Original Message----- >> From: Brandon Williams <dri...@gmail.com> >> Sent: Sonntag, 12. Dezember 2021 18:56 >> To: dev@cassandra.apache.org >> Subject: Recent log4j vulnerability >> >> I replied to a user- post about this, but thought it was worth repeating it >> here. >> >> In >> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCASSANDRA-5883&data=04%7C01%7Cthomas.steinmaurer%40dynatrace.com%7C8016a1aeed8c4589cbe408d9bd9a0920%7C70ebe3a35b30435d9d677716d74ca190%7C1%7C0%7C637749291586596208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0klDN4WmFkt876OCsXL%2FX%2FUXa%2FrsxmwCKFgmnP4Lctw%3D&reserved=0 >> you can see where Apache Cassandra never chose to use log4j2 (preferring >> logback instead), and thus is not, and has never been, vulnerable to this >> RCE. >> >> Kind Regards, >> Brandon >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org >> For additional commands, e-mail: dev-h...@cassandra.apache.org >> >> This email may contain confidential information. If it appears this message >> was sent to you by mistake, please let us know of the error. In this case, >> we also ask that you do not further forward the content and delete it. Thank >> you for your cooperation and understanding. Dynatrace Austria GmbH >> (registration number FN 91482h) is a company registered in Linz whose >> registered office is at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org >> For additional commands, e-mail: dev-h...@cassandra.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
