Update log4j (#3151)

Signed-off-by: Adrian Sutton <[email protected]> Signed-off-by: Justin Florentine <[email protected]>
hyperledger · Dec 10, 2021 · a4f0627 · a4f0627
1 parent 426dd5d
commit a4f0627
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## 21.10.3
+
+### Bug Fixes
+- Updated log4j to 2.15.0 and disabled JNDI message format lookups to improve security.
+
 ## 21.10.2
 
 ### Additions and Improvements

diff --git a/build.gradle b/build.gradle
@@ -471,6 +471,8 @@ applicationDefaultJvmArgs = [
   // We shutdown log4j ourselves, as otherwise this shutdown hook runs before our own and whatever
   // happens during shutdown is not logged.
   '-Dlog4j.shutdownHookEnabled=false',
+  // Disable JNI lookups in log4j messages to improve security
+  '-Dlog4j2.formatMsgNoLookups=true',
   // Redirect java.util.logging loggers to use log4j2.
   '-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager',
   // Suppress Java JPMS warnings.  Document the reason for each suppression.

diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -100,10 +100,10 @@ dependencyManagement {
     dependency 'org.apache.commons:commons-compress:1.21'
     dependency 'org.apache.commons:commons-text:1.9'
 
-    dependency 'org.apache.logging.log4j:log4j-api:2.14.1'
-    dependency 'org.apache.logging.log4j:log4j-core:2.14.1'
-    dependency 'org.apache.logging.log4j:log4j-jul:2.14.1'
-    dependency 'org.apache.logging.log4j:log4j-slf4j-impl:2.14.1'
+    dependency 'org.apache.logging.log4j:log4j-api:2.15.0'
+    dependency 'org.apache.logging.log4j:log4j-core:2.15.0'
+    dependency 'org.apache.logging.log4j:log4j-jul:2.15.0'
+    dependency 'org.apache.logging.log4j:log4j-slf4j-impl:2.15.0'
 
     dependency 'org.apache.tuweni:tuweni-bytes:2.0.0'
     dependency 'org.apache.tuweni:tuweni-config:2.0.0'