Loading...

XML

Word

Printable

Type: Task
Resolution: Won't Do
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
None

Epic Link:
Productization for 1.6.6
Blocked:
False
Ready:
False
Release Note Text:
ProdSec decided that we do not need to patch the log4j 1 CVE.
Target Release:

1.6.6.GA
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Log4j 1.2.17 needs to be rebuilt without JMSAppender (CVE-2021-4104), SocketServer (CVE-2019-17571) and SMTPAppender (CVE-2020-9488). Details on this GH thread.

The original 1.2.17 build is so old that is it not on PNC. It was originally done in BREW.

A new build will need to be set up in PNC. The orginal source code can be found at: https://logging.apache.org/log4j/1.2/source-repository.html

blocks

ENTMQST-3564 Rebuild Kafka 2.8.0 with fixed Log4j1

Closed

ENTMQST-3565 Rebuild Kafka 2.7.0 with fixed Log4j1

Closed

ENTMQST-3567 Rebuild Cruise Control 2.5.11 with Log4j 1.2.17

Closed

ENTMQST-3570 Rebuild Kafka 2.5.0 with fixed Log4j1

Closed

ENTMQST-3571 Rebuild Kafka 2.6.2 with fixed Log4j1

Closed

Assignee:: Thomas Cooper

Reporter:: Thomas Cooper

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2021/12/15 10:43 AM

Updated:: 2022/01/20 6:23 PM

Resolved:: 2021/12/16 9:29 AM