1回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
DynamoDB Local recently patched version 1.17.1 which includes custom binary that patches Log4j v2.13.x to remove JndiLookup
class. They have also released 1.17.2 which uses Log4j 2.16.x, which does not include the vulnerability CVE-2021-44228:
From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed
From the download of version 1.17.2 you can assert that is uses this library:
ls DynamoDBLocal_lib | grep Log4j-core
.
Furthermore, you can assert that this package does not contain the JndiLookup
class:
unzip -l DynamoDBLocal_lib/Log4j-core-2.16.jar | grep -i JndiLookup
DynamoDB Local does not have a public facing repository, however, you can stay up to date with updates on the latest releases here.
関連するコンテンツ
- AWS公式更新しました 3年前
Thank you sir. My concern with version dynamodb- local 1.17.2. is that there's an additional CVE for log4j 2.16.x - see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105. I think we will probably go with 1.17.1 until there's a newer release. Thank you for the info!
@plumlee DynamoDB team intend to roll out updates which will bump the Log4J version to 2.17.X in the next 1-2 weeks. As soon as I am informed of the newest release, I will comment on here.