[logback-dev] SECURITY FIX - Release of logback version 1.2.8 with security Fixes
Ceki Gülcü
ceki at qos.ch
Tue Dec 14 13:38:20 CET 2021
== Includes security fixes ====
Hello all,
In the wake of CVE-2021-44228, a serialization related
vulnerability has been reported which affects logback.
In response to this vulnerability we have disabled all JNDI
lookup code in logback until further notice. This impacts
ContextJNDISelector and <insertFromJNDI> element in configuration
files.
We have also removed all database (JDBC) related code in the
project with no replacement.
We note that the vulnerability mentioned in LOGBACK-1591 [1]
requires write access to logback's configuration file as a
prerequisite. An demo of the vulnerability can be found at [2].
We urge you to upgrade to logback 1.2.8 as soon as possible.
A release on the 1.3.x branch will follow shorty.
As an additional precautionary measure, we also recommend users
to set their configuration files as read-only.
Best regards,
[1] https://jira.qos.ch/browse/LOGBACK-1591
[2] https://github.com/cn-panda/logbackRceDemo
--
Ceki Gülcü
Please contact sales(at)qos.ch for support related to SLF4J or
logback projects.
More information about the logback-dev
mailing list