Hello, Anton. +1 to remove outdated logging library.
But, seems, we can’t do it right now, because of existing deployments. Let’s mark this module as deprecated and remove it in 2.14? > Not every deployment require to be secured. Disagree. We should update or workaround known security issues ASAP. > Not every deployment requires to use of log4j. Agree, but we shouldn’t provide or support modules with known security issues. > 28 февр. 2022 г., в 18:41, Anton Vinogradov <a...@apache.org> написал(а): > > Your deployment has vulnerabilities only in case you configured log4j as a > logger. > Not every deployment require to be secured. > Not every deployment requires to use of log4j. > > We must change the default logging library if the current is log4j and > provide the ability to use log4j as before (where it is required) but with > a warning, I think. > > On Mon, Feb 28, 2022 at 3:55 PM Sergei Ryzhov <s.vi.ryz...@gmail.com> wrote: > >> Hello, Igniters. >> >> log4j 1.2.17 is not supported and contains critical vulnerabilities >> I suggest excluding log4j 1.2.17 and module ignite-log4j from ignite[1]. >> >> Direct vulnerabilities: >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 >> >> WDYT? >> >> [1] https://issues.apache.org/jira/browse/IGNITE-16626 >> >> -- >> Best regards, >> Sergei Ryzhov >>
