1 回答
- 最新
- 投票最多
- 评论最多
1
DynamoDB Local recently patched version 1.17.1 which includes custom binary that patches Log4j v2.13.x to remove JndiLookup
class. They have also released 1.17.2 which uses Log4j 2.16.x, which does not include the vulnerability CVE-2021-44228:
From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed
From the download of version 1.17.2 you can assert that is uses this library:
ls DynamoDBLocal_lib | grep Log4j-core
.
Furthermore, you can assert that this package does not contain the JndiLookup
class:
unzip -l DynamoDBLocal_lib/Log4j-core-2.16.jar | grep -i JndiLookup
DynamoDB Local does not have a public facing repository, however, you can stay up to date with updates on the latest releases here.
相关内容
- AWS 官方已更新 3 年前
- AWS 官方已更新 2 年前
Thank you sir. My concern with version dynamodb- local 1.17.2. is that there's an additional CVE for log4j 2.16.x - see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105. I think we will probably go with 1.17.1 until there's a newer release. Thank you for the info!
@plumlee DynamoDB team intend to roll out updates which will bump the Log4J version to 2.17.X in the next 1-2 weeks. As soon as I am informed of the newest release, I will comment on here.