AWSGlueETL 依赖 log4j 安全漏洞 CVE-2021-44228
AWSGlueETL is dependent log4j security vulnerabilities `CVE-2021-44228`
由于收到了log4j安全漏洞的通知信息,所以我研究了我的应用程序是否受到影响。我发现 here is dependent log4j security vulnerabilities. pom.xml 引入的 AWSGlueETL 包含以下定义。
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.4.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.4.1</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
最新版本3.0.0
也依赖于相同的漏洞。我想知道这个问题以后会不会被修复。
AWS 已经提供了更新,看起来他们正在对所有受影响的服务应用亚马逊开发的 Java 热补丁,请参阅此处了解更多信息 https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
来自文档:
Responding to security issues such as this one shows the value of
having multiple layers of defensive technologies, which is so
important to maintaining the security of our customers’ data and
workloads.
We've taken this issue very seriously, and our world-class
team of engineers has fully deployed the Amazon-developed Java hot
patch available here to all AWS services. The hot patch updates the
Java VM to disable the loading of the Java Naming and Directory
Interface (JNDI) class, replacing it with a harmless notification
message, which mitigates CVE-2021-44228 and CVE-2021-45046. We will
shortly complete our deployment of the updated Log4j library to all of
our services. More information about the Java hotpatch is available
at
https://aws.amazon.com/blogs/security/open-source-hotpatch-for-apache-log4j-vulnerability/
谢谢
由于收到了log4j安全漏洞的通知信息,所以我研究了我的应用程序是否受到影响。我发现 here is dependent log4j security vulnerabilities. pom.xml 引入的 AWSGlueETL 包含以下定义。
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.4.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.4.1</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
最新版本3.0.0
也依赖于相同的漏洞。我想知道这个问题以后会不会被修复。
AWS 已经提供了更新,看起来他们正在对所有受影响的服务应用亚马逊开发的 Java 热补丁,请参阅此处了解更多信息 https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
来自文档:
Responding to security issues such as this one shows the value of having multiple layers of defensive technologies, which is so important to maintaining the security of our customers’ data and workloads. We've taken this issue very seriously, and our world-class team of engineers has fully deployed the Amazon-developed Java hot patch available here to all AWS services. The hot patch updates the Java VM to disable the loading of the Java Naming and Directory Interface (JNDI) class, replacing it with a harmless notification message, which mitigates CVE-2021-44228 and CVE-2021-45046. We will shortly complete our deployment of the updated Log4j library to all of our services. More information about the Java hotpatch is available at https://aws.amazon.com/blogs/security/open-source-hotpatch-for-apache-log4j-vulnerability/
谢谢