Can I humbly recommend a quick patch to log4j2.17.0? The reason is security organizations don't know from application to application which will be impacted or not, it will force us to update ourselves creating a deviation from core.
It just makes things more complicated for everyone if we don't have a recognized safe deployment. On Mon, Dec 20, 2021 at 11:28 AM Frank Chen <frankc...@apache.org> wrote: > Hi Devs, > > Last week, there were many people leaving comments in the issue/PR listed > as follows to enquire that > if there's a newer Druid patch release such as 0.22.2 that fixes the new > vulnerabilities (CVE 45046 > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2021-2D45046&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=fsf_xsKE8d3u6q5pCJRQRvsFKfXB3k1J3GJLT71K_rQ&e= > > and > 45105 < > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2021-2D45105&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=um2-PddWXidIGsl3-GF4qMo2biAmn4RQyecYYWyqxHo&e= > >) which affect log4j > 2.15.0 and 2.16.0 > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_issues_12054&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=jvfgazS1S2hRDf7zrBAXJzQsASfndwqr7vGscDGjXgE&e= > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_pull_12061&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=umNt0yNlLm2_esyx655Gd2daIlX46dvuEVNcSfUlMn8&e= > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_pull_12051&d=DwIBaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=aGbp4O059brQZJp5pRdo8_F4i3VDv_vYJ9-oUH02u60&m=P1QivRypv4h7qPgjo2m9vJ1cuLOTTW5VRntrhoDc9wk&s=7lzgp8xFJRjCaImXAJ7_REFuZUwOqIyTxiKvGVgRois&e= > > So, I bring up this topic here to discuss so that all of us can get a clear > message whether we should do a patch release. > > Following is my personal opinion: > > From the description of these two CVE announcements, we can see that, these > two problems only affect those log4j pattern layout which involves thread > context map (MDC). > > Since Druid's default pattern layout DOES NOT use such pattern layout, I > think it's safe to say that it's not affected by these vulnerabilities. > So, for the patch release, we don't need to release another patch release > to address these two problems. > > We can address these two in the upcoming major release 0.23 which is going > to release next month if everything goes well as scheduled. > > > Frank > -- John Pries Verizon 614 560 2132
