Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to Log4j2 2.17.0 #28983

Closed
snicoll opened this issue Dec 10, 2021 · 8 comments
Closed

Upgrade to Log4j2 2.17.0 #28983

snicoll opened this issue Dec 10, 2021 · 8 comments
Labels
type: dependency-upgrade A dependency upgrade
Milestone
2.5.8

Comments

@snicoll
Copy link
Member

snicoll commented Dec 10, 2021

No description provided.

@snicoll snicoll added the type: dependency-upgrade A dependency upgrade label Dec 10, 2021
@snicoll snicoll added this to the 2.5.8 milestone Dec 10, 2021
@wilkinsona wilkinsona pinned this issue Dec 10, 2021
@zhoujia1974
Copy link

What is the target release date for this cve patch?

@scottfrederick
Copy link
Contributor

@zhoujia1974 The project milestones page shows the planned dates for upcoming releases, including the 2.5.8 release that this issue is scheduled for.

@madorb
Copy link

madorb commented Dec 10, 2021

considering the severity of this CVE, could that be moved up? (i know folks can fix it otherwise... but will they?)

@spring-projects spring-projects locked and limited conversation to collaborators Dec 10, 2021
@philwebb
Copy link
Member

We discussed the idea of doing an earlier release but ultimately decided to stick with our existing schedule. The main reason is we manage an awful lot of dependencies and we don’t really want to trigger releases anytime one of them has a CVE. Another factor is the fact that our out-of-the-box setup doesn’t include log4j-core.

We have published a blog post about the vulnerability to help people understand their options. It’s at https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

@spring-projects spring-projects unlocked this conversation Dec 11, 2021
@madorb
Copy link

madorb commented Dec 11, 2021

totally agree with that in general - but this isn't exactly your average CVE. it certainly helps that it's not the default logging framework, but... still to this layman, it seems patch-worthy. thanks for the details blog post tho! that'll definitely help folks

@spring-projects spring-projects locked and limited conversation to collaborators Dec 11, 2021
@alan-czajkowski alan-czajkowski mentioned this issue Dec 12, 2021
Closed
@spring-projects spring-projects unlocked this conversation Dec 12, 2021
@mauromol
Copy link

Will this be backported to Spring Boot 2.4.x? The blog article speaks about just 2.5.x and 2.6.x.

@bclozel
Copy link
Member

bclozel commented Dec 13, 2021

@mauromol Spring Boot 2.4.x is out of OSS support.

@mbhave mbhave unpinned this issue Dec 13, 2021
@mbhave mbhave pinned this issue Dec 13, 2021
@bclozel bclozel unpinned this issue Dec 14, 2021
@snicoll snicoll reopened this Dec 15, 2021
@snicoll snicoll changed the title Upgrade to Log4j2 2.15.0 Upgrade to Log4j2 2.16.0 Dec 15, 2021
@snicoll
Copy link
Member Author

snicoll commented Dec 18, 2021

Reopening to upgrade to 2.17.0 per CVE-2021-45105.

@snicoll snicoll reopened this Dec 18, 2021
@snicoll snicoll changed the title Upgrade to Log4j2 2.16.0 Upgrade to Log4j2 2.17.0 Dec 18, 2021
snicoll added a commit that referenced this issue Dec 18, 2021
@snicoll
Upgrade Build to Log4j 2.17.0
21e54a5 
See gh-28983
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: dependency-upgrade A dependency upgrade
Projects
None yet
Milestone
2.5.8
Development

No branches or pull requests
7 participants
@scottfrederick @bclozel @snicoll @philwebb @madorb @mauromol @zhoujia1974