Project

General

Profile

Actions

Bug #20421

closed

Upgrade logback version for LOGBACK-1591 / JNDI

Added by François ARMAND almost 3 years ago. Updated almost 3 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description

After log4j JNDI vulnerability, logback did an audit of their code and found a potential, low risk (since it needs write access to logback.xml file) vector:
https://jira.qos.ch/browse/LOGBACK-1591.

The /opt/rudder/etc/logback.xml should only be writeable by the root user on Rudder servers, so it does not seem exploitable.

We still should update to logback 2.6.8 in case other, more horrible, attack vectors are found.

Actions

Also available in: Atom PDF