Log4j Critical Vulnerability - Remote Code Injection
jekhokie opened this issue · 2 comments
jekhokie commented
Based on GHSA-jfh8-c2jp-5v3q:
"Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser."
In addition, according to CVE-2021-4104, Log4j 1.2 is subject to similar RCE when JMSAppenders are used, and Log4j 1.x is well out of support at this time.
It's advised to migrate to Log4j 2.16.0 at this time. Based on the severity of the issue, request that this be dealt with via a backport approach if at all possible. Would it be possible to migrate to Log4j 2.16.0 to mitigate the risk to anyone using this application?
Thank you!
thomascaillier commented
You can follow this PR : confluentinc/common#403 which will be included in 5.5.8 release