log4j2 CVE-2021-44228

98 views
Skip to first unread message

Stephen Mallette

unread,
Dec 13, 2021, 6:43:25 AM12/13/21
to gremli...@googlegroups.com, d...@tinkerpop.apache.org
I just wanted to post a few words about the log4j CVE:


TinkerPop 3.4.x and 3.5.x are still bound to log4j 1.2.x which is not covered by this CVE which only refers to log4j2. That said there is some odd configuration for 1.2 with the JMSAppender that I think can cause similar issues to this CVE, so if you are somehow using that you may want to examine your configurations. 

For the upcoming 3.6.0 release we will have moved away from log4j to logback. 

In all cases, the logger implementation is "provided" scope so if you depend on TinkerPop, you have to explicitly define your implementation and version. Therefore the implementation and version you are using in that way is not dependent on TinkerPop. For Gremlin Server and Gremlin Console we include  log4j 1.2.x (3.4.x/3.5.x) and logback (unreleased 3.6.0) as default logger implementations.

It is worth noting that hadoop-gremlin and spark-gremlin both continue to have log4j 1.2.x bindings despite our change to logback. I'm not aware of any intentions those projects have for upgrading or switching in the future. 

Well, that's the State of the Union for logging - I hope that answers any open questions out there, but feel free to ask others if you have any doubts.



Reply all
Reply to author
Forward
0 new messages