Skip to content
This repository has been archived by the owner on Dec 23, 2023. It is now read-only.

Commit

Permalink
Add text for upgrading to latest log4j (#2089)
Browse files Browse the repository at this point in the history 
* Add text for upgrading to latest log4j

* Update the package-specific README too

Co-authored-by: Punya Biswal <punya@google.com>
  • Loading branch information
@amujumdar @punya
amujumdar and punya committed Dec 18, 2021
1 parent 1584507 commit 0899c0b
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 0 deletions.
12 changes: 12 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,18 @@
[![Windows Build Status][appveyor-image]][appveyor-url]
[![Coverage Status][codecov-image]][codecov-url]

> :exclamation: The [opencensus-contrib-log-correlation-log4j2](https://github.com/census-instrumentation/opencensus-java/tree/master/contrib/log_correlation/stackdriver)
> Java client library is part of the OpenCensus project.
> [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)
> and [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046) disclosed
> security vulnerabilities in the Apache Log4j 2 version 2.15 or below. The recent version
> v0.28.3 depends on Log4j 2.11.1. A number of previous versions also depend on vulnerable
> Log4j versions.
>
> :exclamation: We merged several fixes and published a release that depends on a safe version of
> Log4j (2.16). **We strongly encourage customers who depend on the
> opencensus-contrib-log-correlation-log4j2 library to upgrade to the latest
> release [(v0.30.0)](https://repo1.maven.org/maven2/io/opencensus/opencensus-contrib-log-correlation-log4j2/0.30.0/).**
OpenCensus is a toolkit for collecting application performance and behavior data. It currently
includes 3 apis: stats, tracing and tags.
Expand Down
11 changes: 11 additions & 0 deletions contrib/log_correlation/log4j2/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,16 @@
# OpenCensus Log4j 2 Log Correlation

> :exclamation: [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)
> and [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046) disclosed
> security vulnerabilities in the Apache Log4j 2 version 2.15 or below. The recent version
> v0.28.3 depends on Log4j 2.11.1. A number of previous versions also depend on vulnerable
> Log4j versions.
>
> :exclamation: We merged several fixes and published a release that depends on a safe version of
> Log4j (2.16). **We strongly encourage customers who depend on the
> opencensus-contrib-log-correlation-log4j2 library to upgrade to the latest
> release [(v0.30.0)](https://repo1.maven.org/maven2/io/opencensus/opencensus-contrib-log-correlation-log4j2/0.30.0/).**
The `opencensus-contrib-log-correlation-log4j2` artifact provides a
[Log4j 2](https://logging.apache.org/log4j/2.x/)
[`ContextDataInjector`](https://logging.apache.org/log4j/2.x/manual/extending.html#Custom_ContextDataInjector)
Expand Down

0 comments on commit 0899c0b

Please sign in to comment.