Actions
Bug #20421
closedUpgrade logback version for LOGBACK-1591 / JNDI
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
Description
After log4j JNDI vulnerability, logback did an audit of their code and found a potential, low risk (since it needs write access to logback.xml file) vector:
https://jira.qos.ch/browse/LOGBACK-1591.
The /opt/rudder/etc/logback.xml
should only be writeable by the root user on Rudder servers, so it does not seem exploitable.
We still should update to logback 2.6.8 in case other, more horrible, attack vectors are found.
Updated by François ARMAND about 3 years ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND about 3 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder/pull/4051
Updated by François ARMAND about 3 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|2f19824041af8925d38a171360a3bf8beec95d1a.
Updated by Alexis Mousset about 3 years ago
- Fix check changed from To do to Checked
Updated by Vincent MEMBRÉ about 3 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 6.1.18, 6.2.12 and 7.0.0~rc2 which were released today.
Actions