Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade checks to Log4j 2.17.0 #19360

Closed
ljacomet opened this issue Dec 20, 2021 · 5 comments
Closed

Upgrade checks to Log4j 2.17.0 #19360

ljacomet opened this issue Dec 20, 2021 · 5 comments
Assignees
@ljacomet
Labels
in:logging in:scala-plugin
Milestone
7.3.3

Comments

@ljacomet
Copy link
Member

Following discovery of CVE-2021-45105, Gradle should update its fixes done for the previous Log4j CVEs.

While Gradle is not affected, following up seems logical given:

  • Something was done for the more serious previous CVEs
  • Gradle 6.9.2, to be released, will recommend Log4j 2.17.0

The following has been done in Gradle:

  • Ensure Zinc compiler does not put a vulnerable Log4j on a classpath. This is done by upgrading log4j-core to 2.17.0 on the zinc compiler classpath when using the scala plugin.
  • Protect buildscript classpath from having vulnerable Log4j. This is done by adding a constraint that rejects known vulnerable versions [2.0, 2.17)and requires2.17.0`

More information on our blog post.
@ljacomet ljacomet self-assigned this Dec 20, 2021
@ljacomet ljacomet added this to the 7.3.3 milestone Dec 20, 2021
ljacomet added a commit that referenced this issue Dec 20, 2021
@ljacomet
Update Log4j to 2.17.0
0ffe933 
This is required following discovery of https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

Fixes #19360
@ljacomet
Copy link
Member Author

Done through #19363

@Spitfire1900
Copy link

Is this not being backported to Gradle 6.9.2 anymore?

@ljacomet
Copy link
Member Author

ljacomet commented Dec 21, 2021
edited

Since the news came before 6.9.2 was merged, the backport was integrated in #19354 and is included in the description of #19328

@ljacomet ljacomet mentioned this issue Dec 22, 2021
Closed
ghubstan added a commit to ghubstan/bisq2 that referenced this issue Dec 25, 2021
@ghubstan
Upgrade to gradle 7.3.3
900bbff 
Upgrade checks to Log4j 2.17.0
See gradle/gradle#19360
@ghubstan ghubstan mentioned this issue Dec 25, 2021
Merged
@SampathKumarAmex SampathKumarAmex mentioned this issue Dec 29, 2021
Merged
@rover886
Copy link

rover886 commented Jan 3, 2022
edited

@ljacomet Do you think we should upgrade log4j-core to 2.17.1, as 2.17.0 is again vulnerable to RCE.

Refer CVE-2021-44832

@ljacomet ljacomet mentioned this issue Jan 10, 2022
Closed
@ljacomet
Copy link
Member Author

Gradle 7.4 will upgrade the checks to use log4j 2.17.1 - see #19526

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ljacomet ljacomet

Labels
in:logging in:scala-plugin
Projects
None yet
Milestone
7.3.3
Development

No branches or pull requests
3 participants
@ljacomet @Spitfire1900 @rover886