1 Answer
- Newest
- Most votes
- Most comments
1
DynamoDB Local recently patched version 1.17.1 which includes custom binary that patches Log4j v2.13.x to remove JndiLookup
class. They have also released 1.17.2 which uses Log4j 2.16.x, which does not include the vulnerability CVE-2021-44228:
From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed
From the download of version 1.17.2 you can assert that is uses this library:
ls DynamoDBLocal_lib | grep Log4j-core
.
Furthermore, you can assert that this package does not contain the JndiLookup
class:
unzip -l DynamoDBLocal_lib/Log4j-core-2.16.jar | grep -i JndiLookup
DynamoDB Local does not have a public facing repository, however, you can stay up to date with updates on the latest releases here.
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Thank you sir. My concern with version dynamodb- local 1.17.2. is that there's an additional CVE for log4j 2.16.x - see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105. I think we will probably go with 1.17.1 until there's a newer release. Thank you for the info!
@plumlee DynamoDB team intend to roll out updates which will bump the Log4J version to 2.17.X in the next 1-2 weeks. As soon as I am informed of the newest release, I will comment on here.