Bump up log4j to 2.17.1 (#8349)

62ef5946 · kezhenxu94 · GitHub · 594e7390 · 62ef5946 · 62ef5946
4 changed file
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -7,8 +7,8 @@ Release Notes.

 #### Project

-* Upgrade log4j2 to 2.17.0 for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. This CVE only effects on JDK if JNDI
-  is opened in default. Notice, using JVM option `-Dlog4j2.formatMsgNoLookups=true` or setting
+* Upgrade log4j2 to 2.17.1 for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. This CVE only effects
+  on JDK if JNDI is opened in default. Notice, using JVM option `-Dlog4j2.formatMsgNoLookups=true` or setting
  the `LOG4J_FORMAT_MSG_NO_LOOKUPS=”true”` environment variable also avoids CVEs.
 * Upgrade maven-wrapper to 3.1.0, maven to 3.8.4 for performance improvements and ARM more native support.


--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -249,7 +249,7 @@ The text of each license is the standard Apache 2.0 license.
    Apache: commons-lang 3.6: https://github.com/apache/commons-lang, Apache 2.0
    Apache: commons-text 1.8: https://github.com/apache/commons-text, Apache 2.0
    Apache: commons-beanutils 1.9.4: https://github.com/apache/commons-beanutils, Apache 2.0
-    Apache: log4j2 2.17.0: https://github.com/apache/logging-log4j2, Apache 2.0
+    Apache: log4j2 2.17.1: https://github.com/apache/logging-log4j2, Apache 2.0
    Apache: zookeeper 3.5.7: https://github.com/apache/zookeeper, Apache 2.0
    Apache: commons-collections 3.2.2: https://github.com/apache/commons-collections, Apache 2.0
    Apache: commons-configuration 1.8: https://github.com/apache/commons-configuration, Apache 2.0

--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -29,7 +29,7 @@

    <properties>
        <slf4j.version>1.7.30</slf4j.version>
-        <log4j.version>2.17.0</log4j.version>
+        <log4j.version>2.17.1</log4j.version>
        <graphql-java-tools.version>5.2.3</graphql-java-tools.version>
        <graphql-java.version>8.0</graphql-java.version>
        <okhttp.version>3.14.9</okhttp.version>

--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -93,10 +93,10 @@ kotlin-reflect-1.1.1.jar
 kotlin-stdlib-1.1.60.jar
 libthrift-0.14.1.jar
 listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
-log4j-api-2.17.0.jar
-log4j-core-2.17.0.jar
+log4j-api-2.17.1.jar
+log4j-core-2.17.1.jar
 log4j-over-slf4j-1.7.30.jar
-log4j-slf4j-impl-2.17.0.jar
+log4j-slf4j-impl-2.17.1.jar
 logging-interceptor-3.13.1.jar
 lz4-java-1.6.0.jar
 micrometer-core-1.7.6.jar