By using AWS re:Post, you agree to the Terms of Use

log4j issue with dynamodb-local - looking for release info and a date for what would be 1.17.3 with log4j 2.17

0

This is regarding the recent (2021-12) issues with log4j (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).

The AWS page on setting up DynamoDB Local at https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBLocal.DownloadingAndRunning.html links to the most current version which shows at 1.17.2 in the README file. There's doesn't seem to be any listing of versions except for the XML file at https://s3.us-west-2.amazonaws.com/dynamodb-local/ and I can't find any resource indicating if there will be a release that bumps the log4j version up to 2.17, which fixes the latest issue found in that module.

Is there a public resource indicating when we can expect a new version or even a public repo for the source code that we can watch for changes? I can't find anything indicating when we might expect a new version or where we can track releases.

Should we stick with 1.17.1 which patches the issue (equivalent to using log4j 2.13.3, if I'm reading correctly) until there's a new version of dynamodb-local that upgrades to log4j 2.17?

1 Answer
1

DynamoDB Local recently patched version 1.17.1 which includes custom binary that patches Log4j v2.13.x to remove JndiLookup class. They have also released 1.17.2 which uses Log4j 2.16.x, which does not include the vulnerability CVE-2021-44228:

From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed

From the download of version 1.17.2 you can assert that is uses this library:

ls DynamoDBLocal_lib | grep Log4j-core.

Furthermore, you can assert that this package does not contain the JndiLookup class:

unzip -l DynamoDBLocal_lib/Log4j-core-2.16.jar | grep -i JndiLookup

DynamoDB Local does not have a public facing repository, however, you can stay up to date with updates on the latest releases here.

profile picture
answered 9 months ago
  • Thank you sir. My concern with version dynamodb- local 1.17.2. is that there's an additional CVE for log4j 2.16.x - see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105. I think we will probably go with 1.17.1 until there's a newer release. Thank you for the info!

  • @plumlee DynamoDB team intend to roll out updates which will bump the Log4J version to 2.17.X in the next 1-2 weeks. As soon as I am informed of the newest release, I will comment on here.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions