Re: Log4j vulnerability - hotfix?

Fri, 10 Dec 2021 14:36:25 -0800 

I will note that the `%m{nolookups}` workaround feels a lot more
challenging to feel comfortable using than the `-D`/env var
workarounds that work in the newer versions. For example, our
log4j2.xml file has two Appenders, one of which uses JsonLayout and
one of which uses PatternLayout. It's hard to understand from the docs
as a non-log4j-expert if the JsonLayout appender is vulnerable or not
and if there's a way to apply `%m{nolookups}` to it.

Because the workarounds for Druid are more challenging than for
projects on the slightly newer versions of log4j2, perhaps it would be
appropriate to put out one or two more patch releases, against 0.21
and/or 0.20? I know our installation is still on 0.21, which is less
than 2 months old.

On Fri, Dec 10, 2021 at 11:35 AM Gian Merlino <g...@apache.org> wrote:
>
> We're working on this right now and will be getting a vote / release for
> 0.22.1 out asap.
>
> Btw, the log4j announcement mentions a mitigation that does work for our
> current version (2.8.2). It's part (b) here, specifying "%m{nolookups}" in
> the PatternLayout configuration:
> https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4. However,
> I haven't personally tested this, so I cannot provide any more details
> beyond pointing to the announcement.
>
> On Fri, Dec 10, 2021 at 10:27 AM Lucas Capistrant <
> capistrant.lu...@gmail.com> wrote:
>
> > Since it is “critical” severity, I think it would be a good idea to
> > seriously consider pushing out a minor version of 0.22.x. Especially since
> > the mitigation strategy outlined in the CVE is not available in the log4j
> > version that exists today in the current stable release. There is past
> > precedent for such releases: see 0.20.2
> >
> > On Fri, Dec 10, 2021 at 12:14 PM Eyal Yurman <eyurma...@yahooinc.com
> > .invalid>
> > wrote:
> >
> > > Hello, regarding https://github.com/apache/druid/pull/12051 which merged
> > > to
> > > master,
> > >
> > > Is it a common practice for the project to backport and release a new
> > minor
> > > for the latest version?
> > >
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org
For additional commands, e-mail: dev-h...@druid.apache.org

Reply via email to