On 2/13/19 2:30 AM, Oleksandr Shulgin wrote: > On Tue, Feb 12, 2019 at 7:02 PM Michael Shuler <mich...@pbandjelly.org > <mailto:mich...@pbandjelly.org>> wrote: > > If you are not using the logback SocketServer and ServerSocketReceiver > components, the CVE doesn't affect your server with logback 1.1.3. > > > So the idea is that as long as logback.xml doesn't configure any of the > above, we are fine with the current logback version?
This is my understanding: The CVE attack vector is over the network when logback is configured to send/receive logs over the network using the above components. Cassandra is configured by default to log to local disk and does not use ServerSocket[Receiver] in the default logback.xml. I cannot offer an understanding of individual Cassandra user's logback configurations, so that must be determined by the user. Thus the warning in NEWS.txt in cassandra-2.1 thru 3.11 branches. I can offer experience, as I mentioned in CASSANDRA-14183, that some relatively basic application logback configurations to local disk broke when the logback-1.2.3 jars were dropped in, since logback internals changed. This is why the project tries to be careful when updating libraries in older branches. We did update to logback-1.2.3 in trunk, since major updates should be expected to possibly need configuration changes due to library updates. This logback update in trunk also allowed us to change the default Cassandra local logging to a much better and non-broken-by-design strategy for users (logback-1.1.x rotation is pretty broken, and it is intentional). -- Kind regards, Michael --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
