Project

General

Profile

Actions

Bug #20421

closed

Upgrade logback version for LOGBACK-1591 / JNDI

Added by François ARMAND 12 months ago. Updated 12 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Regression:

Description

After log4j JNDI vulnerability, logback did an audit of their code and found a potential, low risk (since it needs write access to logback.xml file) vector:
https://jira.qos.ch/browse/LOGBACK-1591.

The /opt/rudder/etc/logback.xml should only be writeable by the root user on Rudder servers, so it does not seem exploitable.

We still should update to logback 2.6.8 in case other, more horrible, attack vectors are found.

Actions #1

Updated by François ARMAND 12 months ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions #2

Updated by Alexis Mousset 12 months ago

  • Description updated (diff)
Actions #3

Updated by François ARMAND 12 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder/pull/4051
Actions #4

Updated by Alexis Mousset 12 months ago

  • Description updated (diff)
Actions #5

Updated by François ARMAND 12 months ago

  • Status changed from Pending technical review to Pending release
Actions #7

Updated by Vincent MEMBRÉ 12 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 6.1.18, 6.2.12 and 7.0.0~rc2 which were released today.

Actions

Also available in: Atom PDF