Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

log4j issue with dynamodb-local - looking for release info and a date for what would be 1.17.3 with log4j 2.17

0

This is regarding the recent (2021-12) issues with log4j (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).

The AWS page on setting up DynamoDB Local at https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBLocal.DownloadingAndRunning.html links to the most current version which shows at 1.17.2 in the README file. There's doesn't seem to be any listing of versions except for the XML file at https://s3.us-west-2.amazonaws.com/dynamodb-local/ and I can't find any resource indicating if there will be a release that bumps the log4j version up to 2.17, which fixes the latest issue found in that module.

Is there a public resource indicating when we can expect a new version or even a public repo for the source code that we can watch for changes? I can't find anything indicating when we might expect a new version or where we can track releases.

Should we stick with 1.17.1 which patches the issue (equivalent to using log4j 2.13.3, if I'm reading correctly) until there's a new version of dynamodb-local that upgrades to log4j 2.17?

Argomenti
DatabaseAWS Well-Architected Framework
Tag
Amazon DynamoDBSicurezza
Lingua
English
plumlee
posta 2 anni fa377 visualizzazioni
1 Risposta
1

DynamoDB Local recently patched version 1.17.1 which includes custom binary that patches Log4j v2.13.x to remove JndiLookup class. They have also released 1.17.2 which uses Log4j 2.16.x, which does not include the vulnerability CVE-2021-44228:

From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed

From the download of version 1.17.2 you can assert that is uses this library:

ls DynamoDBLocal_lib | grep Log4j-core.

Furthermore, you can assert that this package does not contain the JndiLookup class:

unzip -l DynamoDBLocal_lib/Log4j-core-2.16.jar | grep -i JndiLookup

DynamoDB Local does not have a public facing repository, however, you can stay up to date with updates on the latest releases here.

profile pictureAWS
ESPERTO
Leeroy Hannigan
con risposta 2 anni fa
  • plumlee
    2 anni fa

    Thank you sir. My concern with version dynamodb- local 1.17.2. is that there's an additional CVE for log4j 2.16.x - see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105. I think we will probably go with 1.17.1 until there's a newer release. Thank you for the info!

  • Leeroy Hannigan ESPERTO
    2 anni fa

    @plumlee DynamoDB team intend to roll out updates which will bump the Log4J version to 2.17.X in the next 1-2 weeks. As soon as I am informed of the newest release, I will comment on here.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente