[ISPN-13597] Log4J 2.17.0 - Red Hat Issue Tracker

XML

Word

Printable

Details

Type: Component Upgrade
Status: Resolved (View Workflow)
Priority: Major
Resolution: Done
Affects Version/s: 11.0.13.Final, 12.1.9.Final, 13.0.4.Final
Fix Version/s: 11.0.14.Final, 12.1.10.Final, 13.0.5.Final, 14.0.0.Dev01
Component/s: Build
Labels:
- CVE-2021-45105
- cve

Security Sensitive Issue:

This issue is security relevant
Git Pull Request:
https://github.com/infinispan/infinispan/pull/9764, https://github.com/infinispan/infinispan/pull/9765, https://github.com/infinispan/infinispan/pull/9766, https://github.com/infinispan/infinispan/pull/9767

Description

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Attachments

Activity

People

Assignee:: Tristan Tarrant

Reporter:: Tristan Tarrant

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2021/12/19 3:01 PM

Updated:: 2021/12/19 5:31 PM

Resolved:: 2021/12/19 5:30 PM