[DISCUSSION] Exclude ignite-log4j, log4j 1.2.17
Hello, Igniters. log4j 1.2.17 is not supported and contains critical vulnerabilities I suggest excluding log4j 1.2.17 and module ignite-log4j from ignite[1]. Direct vulnerabilities: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 WDYT? [1] https://issues.apache.org/jira/browse/IGNITE-16626 -- Best regards, Sergei Ryzhov
Re: [DISCUSSION] Exclude ignite-log4j, log4j 1.2.17
Your deployment has vulnerabilities only in case you configured log4j as a logger. Not every deployment require to be secured. Not every deployment requires to use of log4j. We must change the default logging library if the current is log4j and provide the ability to use log4j as before (where it is required) but with a warning, I think. On Mon, Feb 28, 2022 at 3:55 PM Sergei Ryzhov wrote: > Hello, Igniters. > > log4j 1.2.17 is not supported and contains critical vulnerabilities > I suggest excluding log4j 1.2.17 and module ignite-log4j from ignite[1]. > > Direct vulnerabilities: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > > WDYT? > > [1] https://issues.apache.org/jira/browse/IGNITE-16626 > > -- > Best regards, > Sergei Ryzhov >
Re: [DISCUSSION] Exclude ignite-log4j, log4j 1.2.17
Hello, Anton. +1 to remove outdated logging library. But, seems, we can’t do it right now, because of existing deployments. Let’s mark this module as deprecated and remove it in 2.14? > Not every deployment require to be secured. Disagree. We should update or workaround known security issues ASAP. > Not every deployment requires to use of log4j. Agree, but we shouldn’t provide or support modules with known security issues. > 28 февр. 2022 г., в 18:41, Anton Vinogradov написал(а): > > Your deployment has vulnerabilities only in case you configured log4j as a > logger. > Not every deployment require to be secured. > Not every deployment requires to use of log4j. > > We must change the default logging library if the current is log4j and > provide the ability to use log4j as before (where it is required) but with > a warning, I think. > > On Mon, Feb 28, 2022 at 3:55 PM Sergei Ryzhov wrote: > >> Hello, Igniters. >> >> log4j 1.2.17 is not supported and contains critical vulnerabilities >> I suggest excluding log4j 1.2.17 and module ignite-log4j from ignite[1]. >> >> Direct vulnerabilities: >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 >> >> WDYT? >> >> [1] https://issues.apache.org/jira/browse/IGNITE-16626 >> >> -- >> Best regards, >> Sergei Ryzhov >>
A new feedback has been added : 67
A new feedback has been added, go to bugyard.io to see all the details... https://bugyard.io A new feedback has been added "Broken link - gives a 404, there are a few of these on this page" by ian.ruffell View feedback https://app.bugyard.io/web/app/rycqZJDyY/f/621cc40602bf100014cef279
Re: [DISCUSSION] Exclude ignite-log4j, log4j 1.2.17
> But, seems, we can’t do it right now, because of existing deployments. Correct > Let’s mark this module as deprecated and remove it in 2.14? Possible way Also, we must check this will not cause problems at tests (eg. Ducktests) On Mon, Feb 28, 2022 at 6:48 PM Nikolay Izhikov wrote: > Hello, Anton. > > +1 to remove outdated logging library. > > But, seems, we can’t do it right now, because of existing deployments. > Let’s mark this module as deprecated and remove it in 2.14? > > > > Not every deployment require to be secured. > > Disagree. > We should update or workaround known security issues ASAP. > > > > Not every deployment requires to use of log4j. > > > > Agree, but we shouldn’t provide or support modules with known security > issues. > > > > 28 февр. 2022 г., в 18:41, Anton Vinogradov написал(а): > > > > Your deployment has vulnerabilities only in case you configured log4j as > a > > logger. > > Not every deployment require to be secured. > > Not every deployment requires to use of log4j. > > > > We must change the default logging library if the current is log4j and > > provide the ability to use log4j as before (where it is required) but > with > > a warning, I think. > > > > On Mon, Feb 28, 2022 at 3:55 PM Sergei Ryzhov > wrote: > > > >> Hello, Igniters. > >> > >> log4j 1.2.17 is not supported and contains critical vulnerabilities > >> I suggest excluding log4j 1.2.17 and module ignite-log4j from ignite[1]. > >> > >> Direct vulnerabilities: > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > >> > >> WDYT? > >> > >> [1] https://issues.apache.org/jira/browse/IGNITE-16626 > >> > >> -- > >> Best regards, > >> Sergei Ryzhov > >> > >
