fix: Log4j Security Vulnerabilities
Created by: HAHH9527
What this PR dose
升级log4j依赖至2.17.0
Why we need it?
在非默认配置下(例如:$${ctx:loginId})攻击者可以手动创建包含递归查找的恶意输入数据,导致StackOverflowError。 2.17.0 删除了 JNDI 对 LDPA 协议的支持。
- CVE-2021-45105 风险等级:高 Fixed in Log4j 2.17.0 (Java 8)
- CVE-2021-45046 风险等级:严重 Fixed in Log4j 2.16.0 (Java 8)
How to test it?
所有log4j依赖均已替换
PS E:\Halo Dev\halo> .\gradlew.bat dependencies | findstr log4j
| | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 -> 2.17.0
| | | | \--- org.apache.logging.log4j:log4j-api:2.17.0
| +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.17.0
| | \--- org.apache.logging.log4j:log4j-api:2.17.0
| \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.17.0
| | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 -> 2.17.0
| | | | \--- org.apache.logging.log4j:log4j-api:2.17.0
| +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.17.0
| | \--- org.apache.logging.log4j:log4j-api:2.17.0
| \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.17.0
| | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 -> 2.17.0
| | | | \--- org.apache.logging.log4j:log4j-api:2.17.0
| +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.17.0
| | \--- org.apache.logging.log4j:log4j-api:2.17.0
| \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.17.0
| | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 -> 2.17.0
| | | | \--- org.apache.logging.log4j:log4j-api:2.17.0
| +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.17.0
| | \--- org.apache.logging.log4j:log4j-api:2.17.0
| \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.17.0
| | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 -> 2.17.0
| | | | \--- org.apache.logging.log4j:log4j-api:2.17.0
| +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.17.0
| | \--- org.apache.logging.log4j:log4j-api:2.17.0
| \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.17.0