Would 3.11 be considered as well? This would also then keep (stupid/static) sec
scans silent in regard to https://nvd.nist.gov/vuln/detail/CVE-2017-5929
Thanks
-Original Message-
From: J. D. Jordan
Sent: Dienstag, 14. Dezember 2021 16:27
To: dev@cassandra.apache.org
Subject: Re: Recent
Doesn’t hurt to upgrade. But no exploit there as far as I can see? If someone
can update your config files to point them to JNDI, you have worse problems
than that. Like they can probably update your config files to just completely
open up JMX access or what ever also.
> On Dec 14, 2021, at 9
The POC seems to require the attacker be able to upload a file that
overwrites the configuration, with hot reloading enabled. We do have
hot reloading enabled but there's no inherent way to overwrite the
config.
That said with logback currently at 1.2.3 (in trunk), perhaps we
should consider an u
Any thoughts what the logback folks have been filed here?
https://jira.qos.ch/browse/LOGBACK-1591
Thanks!
-Original Message-
From: Brandon Williams
Sent: Sonntag, 12. Dezember 2021 18:56
To: dev@cassandra.apache.org
Subject: Recent log4j vulnerability
I replied to a user- post about thi
