From 62ef59466eb9bcef31067f9cc773eb96e7a466cb Mon Sep 17 00:00:00 2001
From: kezhenxu94 <kezhenxu94@apache.org>
Date: Wed, 29 Dec 2021 11:07:48 +0800
Subject: [PATCH] Bump up log4j to 2.17.1 (#8349)

---
 CHANGES.md                                            | 4 ++--
 dist-material/release-docs/LICENSE                    | 2 +-
 oap-server-bom/pom.xml                                | 2 +-
 tools/dependencies/known-oap-backend-dependencies.txt | 6 +++---
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 2c3e30831f..b693621479 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -7,8 +7,8 @@ Release Notes.
 
 #### Project
 
-* Upgrade log4j2 to 2.17.0 for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. This CVE only effects on JDK if JNDI
-  is opened in default. Notice, using JVM option `-Dlog4j2.formatMsgNoLookups=true` or setting
+* Upgrade log4j2 to 2.17.1 for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. This CVE only effects
+  on JDK if JNDI is opened in default. Notice, using JVM option `-Dlog4j2.formatMsgNoLookups=true` or setting
   the `LOG4J_FORMAT_MSG_NO_LOOKUPS=”true”` environment variable also avoids CVEs.
 * Upgrade maven-wrapper to 3.1.0, maven to 3.8.4 for performance improvements and ARM more native support.
 
diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE
index a3c4cd06d7..1a0f185abb 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -249,7 +249,7 @@ The text of each license is the standard Apache 2.0 license.
     Apache: commons-lang 3.6: https://github.com/apache/commons-lang, Apache 2.0
     Apache: commons-text 1.8: https://github.com/apache/commons-text, Apache 2.0
     Apache: commons-beanutils 1.9.4: https://github.com/apache/commons-beanutils, Apache 2.0
-    Apache: log4j2 2.17.0: https://github.com/apache/logging-log4j2, Apache 2.0
+    Apache: log4j2 2.17.1: https://github.com/apache/logging-log4j2, Apache 2.0
     Apache: zookeeper 3.5.7: https://github.com/apache/zookeeper, Apache 2.0
     Apache: commons-collections 3.2.2: https://github.com/apache/commons-collections, Apache 2.0
     Apache: commons-configuration 1.8: https://github.com/apache/commons-configuration, Apache 2.0
diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml
index d8fc50c9dc..04736bf409 100644
--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -29,7 +29,7 @@
 
     <properties>
         <slf4j.version>1.7.30</slf4j.version>
-        <log4j.version>2.17.0</log4j.version>
+        <log4j.version>2.17.1</log4j.version>
         <graphql-java-tools.version>5.2.3</graphql-java-tools.version>
         <graphql-java.version>8.0</graphql-java.version>
         <okhttp.version>3.14.9</okhttp.version>
diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt
index d2e3e7812f..4f103efbb6 100755
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -93,10 +93,10 @@ kotlin-reflect-1.1.1.jar
 kotlin-stdlib-1.1.60.jar
 libthrift-0.14.1.jar
 listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
-log4j-api-2.17.0.jar
-log4j-core-2.17.0.jar
+log4j-api-2.17.1.jar
+log4j-core-2.17.1.jar
 log4j-over-slf4j-1.7.30.jar
-log4j-slf4j-impl-2.17.0.jar
+log4j-slf4j-impl-2.17.1.jar
 logging-interceptor-3.13.1.jar
 lz4-java-1.6.0.jar
 micrometer-core-1.7.6.jar
-- 
GitLab