-
Bug
-
Resolution: Done
-
Highest
-
Istanbul Release, Jakarta Release
-
None
-
None
A new zero day exploit, popularly known as 'log4shell', has been discovered in versions of log4j2 prior to version 2.15.0.
The recommended corrective action is to upgrade to version 2.15.0. However, this is not practical to implement immediately, since current OpenDaylight itself also has this flaw.
In the meanwhile, this exploit can be remediated by setting the Java system property log4j2.formatMsgNoLookups to True.
- relates to
-
CCSDK-3618 3PP dependency version update - A1 Kohn
- Closed
-
SDNC-1655 Fix log4j vulnerability in Istanbul Maintenance
- Closed
-
CCSDK-3581 3PP dependency version update
- Closed