From 8a3d1750db49f4d8a0c5192d82d4a931ee5f042b Mon Sep 17 00:00:00 2001 From: Bart Skowron Date: Mon, 20 Dec 2021 13:39:28 +0100 Subject: [PATCH] Release v1.8.1 (#292) * Update README.md * Release v1.8.1 --- CHANGELOG.md | 4 ++++ gradle.properties | 2 +- rollbar-log4j2/README.md | 22 +++++++++++++++------- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cc5773ec..77b39ad9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Change Log +# 1.8.1 + +- Update log4j dependencies to v2.17.0 to fix CVE-2021-45105 [#291](https://github.com/rollbar/rollbar-java/pull/291) + # 1.8.0 - Update log4j dependencies to v 2.16.0 (#287) diff --git a/gradle.properties b/gradle.properties index e831b945..870bc89f 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,4 +1,4 @@ -VERSION_NAME=1.8.1-SNAPSHOT +VERSION_NAME=1.8.1 GROUP=com.rollbar POM_DESCRIPTION=For connecting your applications built on the JVM to Rollbar for Error Reporting diff --git a/rollbar-log4j2/README.md b/rollbar-log4j2/README.md index 5e81c8e1..d9e527ae 100644 --- a/rollbar-log4j2/README.md +++ b/rollbar-log4j2/README.md @@ -1,28 +1,36 @@ # Rollbar Log4j 2 integration -This directory contains the Log4j 2 integration of the Rollbar Java SDK. +This directory contains the Log4j 2 integration of the Rollbar Java SDK. Instructions for building and contributing to the SDK can be found in the main repository [README](../README.md). ## Compatibility -Staring with version `1.8.0`, `rollbar-log4j2` depends on version `2.16.0` of `log4j-core`. This removes compatibility with Java 7, but was a necessary upgrade to fix the CVE-2021-44228 vulnerability in Log4j. +Staring with version `1.8.0`, `rollbar-log4j2` depends on version `2.16.0` (or later) of `log4j-core`. +This removes compatibility with Java 7, but was a necessary upgrade to fix the following vulnerabilites in Log4j: -Projects built and / or running with Java 7 can still use `rollbar-log4j2` version `1.8.0`, while forcing the use of a **vulnerable**, Java 7 compatible version of `Log4j`, by updating their build configuration to ignore transitive dependencies from `rollbar-log4j2`. +- CVE-2021-44228 +- CVE-2021-45046 +- CVE-2021-45105 + +Projects built and/or running with Java 7 can still use `rollbar-log4j2` version `1.8.0+`, +while forcing the use of a **vulnerable**, Java 7 compatible version of `Log4j`, +by updating their build configuration to ignore transitive dependencies from `rollbar-log4j2`. Gradle configuration: ```gradle dependencies { - implementation(group: 'com.rollbar', name: 'rollbar-log4j2', version: '1.8.0') { + implementation(group: 'com.rollbar', name: 'rollbar-log4j2', version: '1.8.1') { exclude group: 'org.apache.logging.log4j' } - implementation group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: '2.12.1' - annotationProcessor group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.12.1' + implementation group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: '2.12.2' + annotationProcessor group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.12.2' } ``` -Note CVE-2021-44228 is a major RCE vulnerability and this approach should only be used after a thorough security analysis, and with very strong mitigations in place. +While CVE-2021-44228 and CVE-2021-45046 are already fixed in `2.12.2`, CVE-2021-45105 is **not** fixed for Java 7. +Note CVE-2021-45105 is a high DoS vulnerability and this approach should only be used after a thorough security analysis, and with very strong mitigations in place.