Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigations for log4j vulnerability in Gradle builds (Backport 6.x) #19328

Closed
ljacomet opened this issue Dec 16, 2021 · 3 comments
Closed

Mitigations for log4j vulnerability in Gradle builds (Backport 6.x) #19328

ljacomet opened this issue Dec 16, 2021 · 3 comments
Assignees
@ljacomet
Labels
a:bug in:documentation DO NOT USE in:logging in:scala-plugin
Milestone
6.9.2

Comments

@ljacomet
Copy link
Member

ljacomet commented Dec 16, 2021
edited

See #19300

The following has been done in Gradle:

  • Ensure Zinc compiler does not put a vulnerable Log4j on a classpath. This is done by upgrading log4j-core to 2.17.0 on the zinc compiler classpath when using the scala plugin.
  • Protect buildscript classpath from having vulnerable Log4j. This is done by adding a constraint that rejects known vulnerable versions [2.0, 2.17)and requires2.17.0`

More information on our blog post.
@ljacomet ljacomet added this to the 6.9.2 milestone Dec 16, 2021
@ljacomet ljacomet self-assigned this Dec 16, 2021
ljacomet added a commit that referenced this issue Dec 16, 2021
@ljacomet
Upgrade log4j-core on Zinc classpath
59d95fc 
This makes sure a log4j vulnerable version is not available for Zinc
compilation even though it is actually not used by default.

Issue #19328
ljacomet added a commit that referenced this issue Dec 16, 2021
@ljacomet
Add constraint for log4j-core version
1555d77 
This constraint makes sure that no vulnerable log4j-core version is made
available on buildscript classpath directly or through plugin
dependencies.

Fixes #19328
ljacomet added a commit that referenced this issue Dec 16, 2021
@ljacomet
Rework buildscript classpath log4j fix
bbf80ad 
This now uses a combination of require and reject instead of a strictly,
which will allow updates beyond the 2.x line. The previous solution was
effectively preventing that with no way for the user to change that.

Issue #19328
ljacomet added a commit that referenced this issue Dec 16, 2021
@ljacomet
Rework Zinc log4j fix
7f38017 
This now uses a combination of require and reject instead of a strictly,
which will allow updates beyond the 2.x line. The previous solution was
effectively preventing that with no way for the user to change that.

Issue #19328
ljacomet added a commit that referenced this issue Dec 16, 2021
@ljacomet
Mark Log4j 2.15 as vulnerable
4565a70 
Follows publication of
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Issue #19328
ljacomet added a commit that referenced this issue Dec 16, 2021
@ljacomet
Fix tests following changes to constraint
0cde0f7 
Issue #19328
@melix
Copy link
Contributor

melix commented Dec 18, 2021

need to upgrade to 2.17... https://twitter.com/garethr/status/1472112043717279746?s=21

@ljacomet
Copy link
Member Author

Indeed, given CVE-2021-45105, let's aim for 2.17.0

ljacomet added a commit that referenced this issue Dec 20, 2021
@ljacomet
Update Log4j to 2.17.0
3f4de58 
This is required following discovery of https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

Issue #19328
@ljacomet
Copy link
Member Author

Merged through #19329 and #19354

@ljacomet ljacomet mentioned this issue Dec 21, 2021
Closed
mauricebarnum added a commit to mauricebarnum/bookkeeper that referenced this issue Jan 31, 2022
@mauricebarnum
Update gradle to 6.9.2
1bd21a6 
This includes `Mitigations for log4j vulnerability in Gradle builds`
gradle/gradle#19328

Full release notes https://docs.gradle.org/6.9.2/release-notes.html
mauricebarnum added a commit to mauricebarnum/bookkeeper that referenced this issue Jan 31, 2022
@mauricebarnum
Update gradle to 6.9.2
5f71ec0 
This includes `Mitigations for log4j vulnerability in Gradle builds`
gradle/gradle#19328

Full release notes https://docs.gradle.org/6.9.2/release-notes.html
merlimat pushed a commit to apache/bookkeeper that referenced this issue Feb 5, 2022
@mauricebarnum
Gradle 6.9.2 (#3022)
d9c4021 
* Remove annoying println

* Update gradle to 6.9.2

This includes `Mitigations for log4j vulnerability in Gradle builds`
gradle/gradle#19328

Full release notes https://docs.gradle.org/6.9.2/release-notes.html
nicoloboschi pushed a commit to nicoloboschi/bookkeeper that referenced this issue Feb 7, 2022
@mauricebarnum @nicoloboschi
Gradle 6.9.2 (apache#3022)
59d107c 
* Remove annoying println

* Update gradle to 6.9.2

This includes `Mitigations for log4j vulnerability in Gradle builds`
gradle/gradle#19328

Full release notes https://docs.gradle.org/6.9.2/release-notes.html
StevenLuMT pushed a commit to StevenLuMT/bookkeeper that referenced this issue Feb 16, 2022
@mauricebarnum
Gradle 6.9.2 (apache#3022)
1045705 
* Remove annoying println

* Update gradle to 6.9.2

This includes `Mitigations for log4j vulnerability in Gradle builds`
gradle/gradle#19328

Full release notes https://docs.gradle.org/6.9.2/release-notes.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ljacomet ljacomet

Labels
a:bug in:documentation DO NOT USE in:logging in:scala-plugin
Projects
None yet
Milestone
6.9.2
Development

No branches or pull requests
2 participants
@ljacomet @melix