Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1192

Update log4j2 2.17.0 to 2.17.1 due to 3rd party vulnerability issue in log4j2 2.17.0 (CVE-2021-44832)

    XMLWordPrintable

    Details

    • CVE-ID:
      CVE-2021-44832

      Description

      Current Situation

      • Severity Level: LOW
        • There is no exploit with current JS1 and JS7 JobScheduler components.
        • JOC Cockpit (JS1/JS7) and Master (JS1) ship with a log4j2.xml configuration file that does not includes configuration items that are subject to the vulnerability CVE-2021-44832. However, this might not apply in case that users modified the JobScheduler's log4j configuration files to use JDBC data sources.
        • Controller (JS7) and Agents (JS1/JS7) do not ship with a Log4j configuration affected by the vulnerability.
        • The nature of this vulnerability requires to have administrative access to JobScheduler's log4j configuration files.

      Desired Behavior

      • Due to a vulnerability issue of older log4j releases JobScheduler and JS7 components should use the current version 2.17.1 that fixes the issues.

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ap Andreas Püschel
                Reporter:
                ap Andreas Püschel
                Approver:
                Aditi Dubey
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: