Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1192

Update log4j2 2.17.0 to 2.17.1 due to 3rd party vulnerability issue in log4j2 2.17.0 (CVE-2021-44832)

    XMLWordPrintable

Details

    • CVE-2021-44832

    Description

      Current Situation

      • Severity Level: LOW
        • There is no exploit with current JS1 and JS7 JobScheduler components.
        • JOC Cockpit (JS1/JS7) and Master (JS1) ship with a log4j2.xml configuration file that does not includes configuration items that are subject to the vulnerability CVE-2021-44832. However, this might not apply in case that users modified the JobScheduler's log4j configuration files to use JDBC data sources.
        • Controller (JS7) and Agents (JS1/JS7) do not ship with a Log4j configuration affected by the vulnerability.
        • The nature of this vulnerability requires to have administrative access to JobScheduler's log4j configuration files.

      Desired Behavior

      • Due to a vulnerability issue of older log4j releases JobScheduler and JS7 components should use the current version 2.17.1 that fixes the issues.

       

      Attachments

        Issue Links

          Activity

            People

              ap Andreas Püschel
              ap Andreas Püschel
              Aditi Dubey Aditi Dubey
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: