'Re: [Axis2] Apache Axis2 Root 1.8.0 is vulnerable to Log4J issue'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       axis-user-ja
Subject:    Re: [Axis2] Apache Axis2 Root 1.8.0 is vulnerable to Log4J issue
From:       robertlazarski <robertlazarski () gmail ! com>
Date:       2022-03-21 19:22:51
Message-ID: CABpPLBWw9Z0G9BGAw0i5X=Swp7hNE1wNXFJEykDFfHSLqpXsHg () mail ! gmail ! com
[Download RAW message or body]

As mentioned in AXIS2-6017, there ended up being 5 updates of log4j2 so the
best course of action is not to wait for us but rather patch your own
systems via pom.xml updates.

The hold up so far on 1.8.1 is that there are lots of other recent Jira
issues closed that were also important to our users.

That being said, we targeted the end of March for a release and it should
happen next week.

Here's what's about to happen:

1) Release Axiom 1.3.1 due to AXIOM-512.

2) Release Axis2. The last issue for discussion is some package renaming.

https://lists.apache.org/thread/5qdnjbdklkxqszkf8l67hfxpnhf0zm85

3) Release Rampart.

On Thu, Mar 17, 2022 at 8:20 AM Lewe, Philipp
<philipp.lewe@accenture.com.invalid> wrote:

> Dear Axis2 developers,
>
> latest available Apache Axis2 version on Maven Central is vulnerable to
> several known CVEs.
>
> For example the anymore not so recent Log4j CVEs are really, really
> critical, because they allow remote code execution (RCE) attacks.
> CVE-2021-45105
> CVE-2021-45046
> CVE-2021-44832
> CVE-2021-44228
> CVE-2021-22060
>
> see https://mvnrepository.com/artifact/org.apache.axis2/axis2/1.8.0
>
> Seems like Dependabot already automatically bumped the versions in master
> branch (1.8.1.-SNAPSHOT version).
> However that version with fixes was not released yet.
>
> Could someone with maintainer rights on the Apache Axis2 repository
> release the 1.8.1 version?
>
> I am happy to support you on any release tasks where needed.
>
> Cheers,
> Philipp
>
> Philipp Lewe
> Application Development Specialist – Accenture Interactive Delivery
>
>  <http://www.accenture.com/interactive>
> Accenture Technology Solutions GmbH
> Sebrathweg 20
> 44149 Dortmund
>
> Mobile: +49 175-576-4703
> philipp.lewe@accenture.com
>
>  <https://www.accenture.com/>
>  <https://www.linkedin.com/company/accenture>
>  <https://twitter.com/Accenture>
>  <https://www.facebook.com/accenture>
>  <https://www.instagram.com/accenture>
>  <https://www.youtube.com/accenture>
>
> Sitz: Kronberg. Registergericht: Königstein im Taunus, HRB 5968.
> Geschäftsführer: Antje Hoffmann, Marcus Huth, Ildiko Kreisz, Michael
> Nolte, Jürgen Pinkl
>
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
> For additional commands, e-mail: java-dev-help@axis.apache.org
>
>

[Attachment #3 (text/html)]

<div dir="ltr"><div>As mentioned in AXIS2-6017, there ended up being 5 updates of \
log4j2 so the best course of action is not to wait for us but rather patch your own \
systems via pom.xml updates. <br></div><div><br></div><div>The hold up so far on \
1.8.1 is that there are lots of other recent Jira issues closed that were also \
important to our users. <br></div><div><br></div><div>That being said, we targeted \
the end of March for a release and it should happen next week. \
<br></div><div><br></div><div>Here&#39;s what&#39;s about to happen: \
<br></div><div><br></div><div>1) Release Axiom 1.3.1 due to AXIOM-512. \
<br></div><div><br></div><div>2) Release Axis2. The last issue for discussion is some \
package renaming. <br></div><div><br></div><div><a \
href="https://lists.apache.org/thread/5qdnjbdklkxqszkf8l67hfxpnhf0zm85" \
target="_blank">https://lists.apache.org/thread/5qdnjbdklkxqszkf8l67hfxpnhf0zm85</a></div><div><br></div><div>3) \
Release Rampart. <br></div></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Thu, Mar 17, 2022 at 8:20 AM Lewe, Philipp \
&lt;philipp.lewe@accenture.com.invalid&gt; wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Dear Axis2 developers,<br> <br>
latest available Apache Axis2 version on Maven Central is vulnerable to several known \
CVEs.<br> <br>
For example the anymore not so recent Log4j CVEs are really, really critical, because \
they allow remote code execution (RCE) attacks.<br> CVE-2021-45105<br>
CVE-2021-45046<br>
CVE-2021-44832<br>
CVE-2021-44228<br>
CVE-2021-22060<br>
<br>
see <a href="https://mvnrepository.com/artifact/org.apache.axis2/axis2/1.8.0" \
rel="noreferrer" target="_blank">https://mvnrepository.com/artifact/org.apache.axis2/axis2/1.8.0</a><br>
 <br>
Seems like Dependabot already automatically bumped the versions in master branch \
(1.8.1.-SNAPSHOT version).<br> However that version with fixes was not released \
yet.<br> <br>
Could someone with maintainer rights on the Apache Axis2 repository release the 1.8.1 \
version?<br> <br>
I am happy to support you on any release tasks where needed.<br>
<br>
Cheers,<br>
Philipp<br>
<br>
Philipp Lewe<br>
Application Development Specialist – Accenture Interactive Delivery<br>
<br>
  &lt;<a href="http://www.accenture.com/interactive" rel="noreferrer" \
target="_blank">http://www.accenture.com/interactive</a>&gt;<br> Accenture Technology \
Solutions GmbH<br> Sebrathweg 20<br>
44149 Dortmund<br>
<br>
Mobile: +49 175-576-4703<br>
<a href="mailto:philipp.lewe@accenture.com" \
target="_blank">philipp.lewe@accenture.com</a><br> <br>
  &lt;<a href="https://www.accenture.com/" rel="noreferrer" \
target="_blank">https://www.accenture.com/</a>&gt;<br>  &lt;<a \
href="https://www.linkedin.com/company/accenture" rel="noreferrer" \
target="_blank">https://www.linkedin.com/company/accenture</a>&gt;<br>  &lt;<a \
href="https://twitter.com/Accenture" rel="noreferrer" \
target="_blank">https://twitter.com/Accenture</a>&gt;<br>  &lt;<a \
href="https://www.facebook.com/accenture" rel="noreferrer" \
target="_blank">https://www.facebook.com/accenture</a>&gt;<br>  &lt;<a \
href="https://www.instagram.com/accenture" rel="noreferrer" \
target="_blank">https://www.instagram.com/accenture</a>&gt;<br>  &lt;<a \
href="https://www.youtube.com/accenture" rel="noreferrer" \
target="_blank">https://www.youtube.com/accenture</a>&gt;<br> <br>
Sitz: Kronberg. Registergericht: Königstein im Taunus, HRB 5968.<br>
Geschäftsführer: Antje Hoffmann, Marcus Huth, Ildiko Kreisz, Michael Nolte, Jürgen \
Pinkl<br> <br>
<br>
<br>
________________________________<br>
<br>
This message is for the designated recipient only and may contain privileged, \
proprietary, or otherwise confidential information. If you have received it in error, \
please notify the sender immediately and delete the original. Any other use of the \
e-mail by you is prohibited. Where allowed by local law, electronic communications \
with Accenture and its affiliates, including e-mail and instant messaging (including \
content), may be scanned by our systems for the purposes of information security and \
assessment of internal compliance with Accenture policy. Your privacy is important to \
us. Accenture uses your personal data only in compliance with data protection laws. \
For further information on how Accenture processes your personal data, please see our \
privacy statement at <a href="https://www.accenture.com/us-en/privacy-policy" \
rel="noreferrer" target="_blank">https://www.accenture.com/us-en/privacy-policy</a>.<br>
 ______________________________________________________________________________________<br>
 <br>
<a href="http://www.accenture.com" rel="noreferrer" \
target="_blank">www.accenture.com</a><br> <br>
---------------------------------------------------------------------<br>
To unsubscribe, e-mail: <a href="mailto:java-dev-unsubscribe@axis.apache.org" \
target="_blank">java-dev-unsubscribe@axis.apache.org</a><br> For additional commands, \
e-mail: <a href="mailto:java-dev-help@axis.apache.org" \
target="_blank">java-dev-help@axis.apache.org</a><br> <br>
</blockquote></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic