Log4j vulnerability in MLeap runtime?
See original GitHub issueThe log4j core code is built into the MLeap runtime. What is the MLeap project’s action to use a patched version of log4j?
The current workaround is to add a system property to the JVM’s startup, -Dlog4j2.formatMsgNoLookups=true
, via the JAVA_OPTS
environment variable. But if someone relied on this functionality, a patched version would be required.
Thanks!
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
Apache Log4j Security Vulnerabilities
This page lists all the security vulnerabilities fixed in released versions of Apache Log4j 2. Each vulnerability is given a security impact ...
Read more >Critical vulnerability in log4j, a widely used logging library
Security researchers recently disclosed the vulnerability CVE-2021-44228 in Apache's log4j. The vulnerability is trivial to exploit.
Read more >Is Mulesoft runtime affected by the log4j vulnerability CVE ...
Yes Mule runtimes are affected and MuleSoft is in the process of applying the patches in cloudhub. For other runtimes (on-prem, rtf, studio), ......
Read more >Log4Shell Zero-Day Vulnerability - CVE-2021-44228 - JFrog
Understand Log4j Log4Shell vulnerability exploitation vectors, ... For example, logging the string Running ${java:runtime} will yield an ...
Read more >Active Testing: Runtime Detection for Log4j Vulnerability in APIs
Many Noname Security customers successfully use our Active Testing functionality to identify APIs using a vulnerable version of the Log4j ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Yes, we’re planning to ship v0.19.0 soon, so a spring upgrade probably would go in v0.19.1 release.
I just tried to simply upgrade the spring dependency version and we have some failing tests. So will need a bit of work it seems.
This is fixed in #797 and since we didn’t get v0.19 released prior to the holidays, I suspect we’ll include it in 0.19.0 release too.