Bug #20421: Upgrade logback version for LOGBACK-1591 / JNDI - Rudder - Issue Tracker

Actions

Copy link

Bug #20421

closed

Upgrade logback version for LOGBACK-1591 / JNDI

Added by François ARMAND almost 3 years ago. Updated almost 3 years ago.

Status:

Released

Priority:

N/A

Assignee:

Alexis Mousset

Category:

Security

Target version:

6.1.18

Pull Request:

https://github.com/Normation/rudder/p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

To do

Fix check:

Checked

Regression:

Description

After log4j JNDI vulnerability, logback did an audit of their code and found a potential, low risk (since it needs write access to logback.xml file) vector:
https://jira.qos.ch/browse/LOGBACK-1591.

The /opt/rudder/etc/logback.xml should only be writeable by the root user on Rudder servers, so it does not seem exploitable.

We still should update to logback 2.6.8 in case other, more horrible, attack vectors are found.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Rudder

Custom queries

Bug #20421

Upgrade logback version for LOGBACK-1591 / JNDI

Updated by François ARMAND almost 3 years ago

Updated by Alexis Mousset almost 3 years ago

Updated by François ARMAND almost 3 years ago

Updated by Alexis Mousset almost 3 years ago

Updated by François ARMAND almost 3 years ago

Updated by Alexis Mousset almost 3 years ago

Updated by Vincent MEMBRÉ almost 3 years ago