|
1 | 1 | # Rollbar Log4j 2 integration
|
2 | 2 |
|
3 |
| -This directory contains the Log4j 2 integration of the Rollbar Java SDK. |
| 3 | +This directory contains the Log4j 2 integration of the Rollbar Java SDK. |
4 | 4 |
|
5 | 5 | Instructions for building and contributing to the SDK can be found in the main repository [README](../README.md).
|
6 | 6 |
|
7 | 7 | ## Compatibility
|
8 | 8 |
|
9 |
| -Staring with version `1.8.0`, `rollbar-log4j2` depends on version `2.16.0` of `log4j-core`. This removes compatibility with Java 7, but was a necessary upgrade to fix the CVE-2021-44228 vulnerability in Log4j. |
| 9 | +Staring with version `1.8.0`, `rollbar-log4j2` depends on version `2.16.0` (or later) of `log4j-core`. |
| 10 | +This removes compatibility with Java 7, but was a necessary upgrade to fix the following vulnerabilites in Log4j: |
10 | 11 |
|
11 |
| -Projects built and / or running with Java 7 can still use `rollbar-log4j2` version `1.8.0`, while forcing the use of a **vulnerable**, Java 7 compatible version of `Log4j`, by updating their build configuration to ignore transitive dependencies from `rollbar-log4j2`. |
| 12 | +- CVE-2021-44228 |
| 13 | +- CVE-2021-45046 |
| 14 | +- CVE-2021-45105 |
| 15 | + |
| 16 | +Projects built and/or running with Java 7 can still use `rollbar-log4j2` version `1.8.0+`, |
| 17 | +while forcing the use of a **vulnerable**, Java 7 compatible version of `Log4j`, |
| 18 | +by updating their build configuration to ignore transitive dependencies from `rollbar-log4j2`. |
12 | 19 |
|
13 | 20 | Gradle configuration:
|
14 | 21 |
|
15 | 22 | ```gradle
|
16 | 23 | dependencies {
|
17 |
| - implementation(group: 'com.rollbar', name: 'rollbar-log4j2', version: '1.8.0') { |
| 24 | + implementation(group: 'com.rollbar', name: 'rollbar-log4j2', version: '1.8.1') { |
18 | 25 | exclude group: 'org.apache.logging.log4j'
|
19 | 26 | }
|
20 | 27 |
|
21 |
| - implementation group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: '2.12.1' |
22 |
| - annotationProcessor group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.12.1' |
| 28 | + implementation group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: '2.12.2' |
| 29 | + annotationProcessor group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.12.2' |
23 | 30 | }
|
24 | 31 |
|
25 | 32 | ```
|
26 | 33 |
|
27 |
| -Note CVE-2021-44228 is a major RCE vulnerability and this approach should only be used after a thorough security analysis, and with very strong mitigations in place. |
| 34 | +While CVE-2021-44228 and CVE-2021-45046 are already fixed in `2.12.2`, CVE-2021-45105 is **not** fixed for Java 7. |
| 35 | +Note CVE-2021-45105 is a high DoS vulnerability and this approach should only be used after a thorough security analysis, and with very strong mitigations in place. |
28 | 36 |
|
0 commit comments