使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

log4j issue with dynamodb-local - looking for release info and a date for what would be 1.17.3 with log4j 2.17

0

This is regarding the recent (2021-12) issues with log4j (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).

The AWS page on setting up DynamoDB Local at https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBLocal.DownloadingAndRunning.html links to the most current version which shows at 1.17.2 in the README file. There's doesn't seem to be any listing of versions except for the XML file at https://s3.us-west-2.amazonaws.com/dynamodb-local/ and I can't find any resource indicating if there will be a release that bumps the log4j version up to 2.17, which fixes the latest issue found in that module.

Is there a public resource indicating when we can expect a new version or even a public repo for the source code that we can watch for changes? I can't find anything indicating when we might expect a new version or where we can track releases.

Should we stick with 1.17.1 which patches the issue (equivalent to using log4j 2.13.3, if I'm reading correctly) until there's a new version of dynamodb-local that upgrades to log4j 2.17?

主題
資料庫AWS Well-Architected Framework
標籤
Amazon DynamoDB安全性
語言
English
plumlee
已提問 2 年前檢視次數 377 次
1 個回答
1

DynamoDB Local recently patched version 1.17.1 which includes custom binary that patches Log4j v2.13.x to remove JndiLookup class. They have also released 1.17.2 which uses Log4j 2.16.x, which does not include the vulnerability CVE-2021-44228:

From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed

From the download of version 1.17.2 you can assert that is uses this library:

ls DynamoDBLocal_lib | grep Log4j-core.

Furthermore, you can assert that this package does not contain the JndiLookup class:

unzip -l DynamoDBLocal_lib/Log4j-core-2.16.jar | grep -i JndiLookup

DynamoDB Local does not have a public facing repository, however, you can stay up to date with updates on the latest releases here.

profile pictureAWS
專家
Leeroy Hannigan
已回答 2 年前
  • plumlee
    2 年前

    Thank you sir. My concern with version dynamodb- local 1.17.2. is that there's an additional CVE for log4j 2.16.x - see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105. I think we will probably go with 1.17.1 until there's a newer release. Thank you for the info!

  • Leeroy Hannigan 專家
    2 年前

    @plumlee DynamoDB team intend to roll out updates which will bump the Log4J version to 2.17.X in the next 1-2 weeks. As soon as I am informed of the newest release, I will comment on here.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容