New security vulnerability (CVE-2021-44228) has been issued in the industry related to Log4j component. Severity of the issue is 10.0.
Log4J 1 and Log4j 2 are all vulnerable before the version 2.15.0
3PPs which bundle vulnerable Log4j versions must also be checked.
ONAP TSC have requested prompt action from all ONAP projects.
We've checked all this in the pom.xml files for direct dependencies and in the ONAP Nexus IQ for the transitive ones.
From a Policy Framework point of view, there are no direct dependencies on anything older than 2.15.0.
Transitive Dependencies: * CDS uses a version of a Spring Framework dependency (spring-boot-starter-logging:2.5.0) that brings in an old version of log4j, I am excluding the log4j dependency and replacing it with the newest log4j in our parent POM
- CLAMP is using camel:3.7.3, which drags in an old version of log4j, stepping camel to version 3.13.0 fixes this, CAMEL version 3.13.0 pulls in log4j version 2.16.0
Two patches are being raised for these changes.
Once we raise and check in these patches, we need to * do a full build
- run our CSITs in Jenkins on all our components to make sure we haven’t broken anything
- Run our CLM jobs on master to check that the actions we have taken has worked and all the old log4j dependencies are gone
- Cherry pick to Istanbul and repeat the three bullets above
We may have to do an Istanbul maintenance release and a Jakarta interim release to push these changes out, let’s await advice from the TSC on this.
- relates to
POLICY-3958 Release Policy Framework for Istanbul Maintenace Release