Updated log4j to 2.17.0 to fix CVE-2021-45105. (#949)

dlvenable · web-flow · commit 6342e644e9e7 · 2021-12-20T13:59:34.000-06:00
Signed-off-by: David Venable &lt;dlv@amazon.com&gt;
diff --git a/build.gradle b/build.gradle
@@ -14,25 +14,25 @@ subprojects {
     sourceCompatibility = '1.8'
     dependencies {
         implementation "com.google.guava:guava:29.0-jre"
-        implementation 'org.apache.logging.log4j:log4j-core:2.16.0'
+        implementation 'org.apache.logging.log4j:log4j-core:2.17.0'
         implementation "org.slf4j:slf4j-api:1.7.30"
-        implementation 'org.apache.logging.log4j:log4j-slf4j-impl:2.16.0'
+        implementation 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0'
         testImplementation("junit:junit:4.13") {
             exclude group: 'org.hamcrest' // workaround for jarHell
         }
         constraints {
             implementation('org.apache.logging.log4j:log4j-core') {
                 version {
-                    require '2.16.0'
+                    require '2.17.0'
                 }
-                because 'Log4j 2.16.0 fixes CVE-2021-44228 and CVE-2021-45046'
+                because 'Log4j 2.17.0 fixes CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105'
             }
-        }
-        implementation('org.apache.logging.log4j:log4j-api') {
-            version {
-                require '2.16.0'
+            implementation('org.apache.logging.log4j:log4j-api') {
+                version {
+                    require '2.17.0'
+                }
+                because 'the build fails if the Log4j API is not update along with log4j-core'
             }
-            because 'the build fails if the Log4j API is not update along with log4j-core'
         }
     }
     build.dependsOn test
diff --git a/data-prepper-plugins/elasticsearch/build.gradle b/data-prepper-plugins/elasticsearch/build.gradle
@@ -67,8 +67,8 @@ configurations.all {
         force 'com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.12.3'
         force 'junit:junit:4.13'
         force "org.slf4j:slf4j-api:1.7.30"
-        force 'org.apache.logging.log4j:log4j-api:2.16.0'
-        force 'org.apache.logging.log4j:log4j-core:2.16.0'
+        force 'org.apache.logging.log4j:log4j-api:2.17.0'
+        force 'org.apache.logging.log4j:log4j-core:2.17.0'
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -67,8 +67,8 @@ configurations.all {`
`67`	`67`	`force 'com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.12.3'`
`68`	`68`	`force 'junit:junit:4.13'`
`69`	`69`	`force "org.slf4j:slf4j-api:1.7.30"`
`70`		`- force 'org.apache.logging.log4j:log4j-api:2.16.0'`
`71`		`- force 'org.apache.logging.log4j:log4j-core:2.16.0'`
	`70`	`+ force 'org.apache.logging.log4j:log4j-api:2.17.0'`
	`71`	`+ force 'org.apache.logging.log4j:log4j-core:2.17.0'`
`72`	`72`	`}`
`73`	`73`	`}`
`74`	`74`