Download Ignite 2.16.0
 
Quick Start Guide

USE CASES

View all
MULTI-TIER STORAGE
ESSENTIAL Developer APIs
High-Performance
Computing APIs
Real-Streaming APIs
View all
Project Info
 
Events
 
 
Blog

Entries tagged [log4j2]

Apache Ignite 2.11.1: Emergency Log4j2 Update

December 21, 2021 by Maxim Muzafarov. Share in Facebook, Twitter

The new Apache Ignite 2.11.1 is an emergency release that fixes CVE-2021-44228, CVE-2021-45046,CVE-2021-45105 related to the ignite-log4j2 module usage.

Apache Ignite with Log4j Vulnerability

All the following conditions must be met:

  • The Apache Ignite version lower than 2.11.0 is used (since these vulnerabilities are already fixed in 2.11.1, 2.12, and upper versions);
  • The ignite-logj42 is used by Apache Ignite and located in the libs directory (by default it is located in the libs/optionaldirectory, so these deployments are not affected);
  • The Java version in use is older than the following versions: 8u191, 11.0.1. This is due to the fact that later versions set the JVM property com.sun.jndi.ldap.object.trustURLCodebase to false by default, which disables JNDI loading of classes from arbitrary URL code bases.

NOTE: Relying only on the Java version as a protection against these vulnerabilities is very risky and has not been tested.

↓ Read all