[JOC-1192] Update log4j2 2.17.0 to 2.17.1 due to 3rd party vulnerability issue in log4j2 2.17.0 (CVE-2021-44832) - SOS JIRA

XML

Word

Printable

Current Situation

Currently the latest JS1 and JS7 JobScheduler components use log4j 2.17.0.
A vulnerability affects log4j2 version 2.17.0:
- CVE-2021-44832, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832

Severity Level: LOW
- There is no exploit with current JS1 and JS7 JobScheduler components.
- JOC Cockpit (JS1/JS7) and Master (JS1) ship with a log4j2.xml configuration file that does not includes configuration items that are subject to the vulnerability CVE-2021-44832. However, this might not apply in case that users modified the JobScheduler's log4j configuration files to use JDBC data sources.
- Controller (JS7) and Agents (JS1/JS7) do not ship with a Log4j configuration affected by the vulnerability.
- The nature of this vulnerability requires to have administrative access to JobScheduler's log4j configuration files.

Desired Behavior

Due to a vulnerability issue of older log4j releases JobScheduler and JS7 components should use the current version 2.17.1 that fixes the issues.

is related to

JOC-1184 Update log4j2 2.14.1 to 2.15.0 due to 3rd party vulnerability issue in log4j2 2.14.1 (CVE-2021-44228)

JOC-1186 Update log4j2 2.15.0 to 2.16.0 due to 3rd party vulnerability issue in log4j2 2.15.0 (CVE-2021-45046)

JOC-1188 Update log4j2 2.16.0 to 2.17.0 due to 3rd party vulnerability issue in log4j2 2.16.0 (CVE-2021-45105)