[MODLOGSAML-124] RMB 33.2.1, Vertx 4.2.1, Log4j 2.15.0 fixing remote execution (CVE-2021-44228) - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: TBD
Resolution: Done
Affects Version/s: 2.3.0
Fix Version/s: 2.3.1, 2.4.0
Labels:
- security

Template:

Standard Bug Write-Up Format
Sprint:
CP: sprint 129
Story Points:
1
Development Team:
Core: Platform

Description

mvn dependency:tree -Dincludes=*log4j* -Dverbose

[INFO] org.folio:mod-login-saml:jar:2.4.0-SNAPSHOT
[INFO] \- org.folio:domain-models-runtime:jar:33.1.1:compile
[INFO]    +- org.folio:cql2pgjson:jar:33.1.1:compile
[INFO]    |  \- org.folio:dbschema:jar:33.1.1:compile
[INFO]    |     \- org.folio.okapi:okapi-common:jar:4.9.0:compile
[INFO]    |        \- (org.apache.logging.log4j:log4j-api:jar:2.13.3:compile - omitted for duplicate)
[INFO]    +- org.apache.logging.log4j:log4j-core:jar:2.13.3:compile
[INFO]    |  \- (org.apache.logging.log4j:log4j-api:jar:2.13.3:compile - omitted for duplicate)
[INFO]    \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile

mod-login-saml is affected. It gets its log4j dependency via domain-models-runtime.

TestRail: Results

Attachments

Issue Links

defines

FOLIO-3364 Update everything to log4j >= 2.16.0 fixing remote execution (CVE-2021-44228)

Closed

is blocked by

RMB-888 Log4j 2.15.0 fixing remote execution (CVE-2021-44228)

Closed

Activity

People

Assignee:: Julian Ladisch

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 11/Dec/21 12:21 AM

Updated:: 11/Jan/22 4:19 PM

Resolved:: 13/Dec/21 5:28 PM

RMB 33.2.1, Vertx 4.2.1, Log4j 2.15.0 fixing remote execution (CVE-2021-44228)