Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid Log4J "Log4Shell" exploit #5910

Merged
merged 2 commits into from
Dec 10, 2021
Merged

Avoid Log4J "Log4Shell" exploit #5910

merged 2 commits into from
Dec 10, 2021

Conversation

cbeams
Copy link
Contributor

@cbeams cbeams commented Dec 10, 2021 

commit 55becc59c010c056b5e0107760c5bf3ba1926d2c
Author: Chris Beams <chris@beams.io>
Date:   Fri Dec 10 10:40:36 2021 +0100

	Avoid Log4J "Log4Shell" exploit
	
	This commit upgrades our transitive dependency on Log4J 2 from 2.14.1 to
	the newly-released 2.15.0 to avoid the CVE described at
	https://www.lunasec.io/docs/blog/log4j-zero-day/.
	
	We do not use log4j directly anywhere in our codebase, so our exposure
	to this exploit was already mitigated if not eliminated, but Spring Boot
	depends on Log4J 2 internally. This commit upgrades Spring Boot's
	underlying dependency on Log4J to 2.15.0 in the manner recommended at
	https://github.com/spring-projects/spring-boot/issues/28958.

commit 31c6e16e63e85ad99f870b2aa2f39e5fbc0380d8
Author: Chris Beams <chris@beams.io>
Date:   Fri Dec 10 10:34:09 2021 +0100

	Use Spring dependency-management plugin in pricenode
	
	This is in preparation for addressing log4j 2 zero day exploit described
	at https://www.lunasec.io/docs/blog/log4j-zero-day/. See full details
	in the next commit.
	
	Bringing in the dependency-management plugin results in many changes to
	our Gradle verification metadata file, but all are BOM / POM / Module
	manifests. No additional jar or code dependencies have been whitelisted
	with this change.

@cbeams
Use Spring dependency-management plugin in pricenode
31c6e16 
This is in preparation for addressing log4j 2 zero day exploit described
at https://www.lunasec.io/docs/blog/log4j-zero-day/. See full details
in the next commit.

Bringing in the dependency-management plugin results in many changes to
our Gradle verification metadata file, but all are BOM / POM / Module
manifests. No additional jar or code dependencies have been whitelisted
with this change.
@cbeams
Avoid Log4J "Log4Shell" exploit
55becc5 
This commit upgrades our transitive dependency on Log4J 2 from 2.14.1 to
the newly-released 2.15.0 to avoid the CVE described at
https://www.lunasec.io/docs/blog/log4j-zero-day/.

We do not use log4j directly anywhere in our codebase, so our exposure
to this exploit was already mitigated if not eliminated, but Spring Boot
depends on Log4J 2 internally. This commit upgrades Spring Boot's
underlying dependency on Log4J to 2.15.0 in the manner recommended at
spring-projects/spring-boot#28958.
ripcurlx
ripcurlx approved these changes Dec 10, 2021
View reviewed changes
Copy link
Contributor

@ripcurlx ripcurlx left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK - running a local build worked. I'll continue testing this in the release branch on multiple plattforms.

@mrosseel
Copy link
Contributor

mrosseel commented Dec 10, 2021
edited
Loading

utACK
PS: some extra context at https://news.ycombinator.com/item?id=29504755

@ripcurlx ripcurlx added this to the v1.8.0 milestone Dec 10, 2021
@ripcurlx ripcurlx merged commit a592266 into bisq-network:master Dec 10, 2021
wiz
wiz reviewed Dec 11, 2021
View reviewed changes
Copy link
Contributor

@wiz wiz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Post merge ACK, running fine on wizpriceje6q5tdrxkyiazsgu7irquiqjy2dptezqhrtu7l2qelqktid

@premek
Copy link

premek commented Dec 17, 2021

Should it be updated again to 2.16.0?

https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/

@cbeams
Copy link
Contributor Author

cbeams commented Dec 19, 2021

Should it be updated again to 2.16.0?

Yes, will submit another PR shortly.

@cbeams cbeams deleted the avoid-log4j-0day branch December 19, 2021 18:48
@cbeams cbeams mentioned this pull request Dec 19, 2021
Closed
@cbeams
Copy link
Contributor Author

cbeams commented Dec 20, 2021

Should it be updated again to 2.16.0?

See #5928

@cbeams cbeams mentioned this pull request Jan 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wiz wiz wiz left review comments

@ripcurlx ripcurlx ripcurlx approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.8.0
Development

Successfully merging this pull request may close these issues.
5 participants
@cbeams @mrosseel @premek @ripcurlx @wiz