Skip to content

v1.0.3
Compare
Choose a tag to compare
@LEDfan LEDfan released this 20 Dec 08:30
· 97 commits to master since this release
v1.0.3
f1802b0

This release contains a security update of the log4j library. This fixes CVE-2021-45105 see GHSA-p6xc-xr62-6r2g.

Version 1.0.1 of the operator includes log4j 2.15.0, which fixes CVE-2021-44228 and version 1.0.2 of the operator includes log4j 2.16.0 which fixes CVE-2021-45046. This release updates log4j to 2.17.0 in order to fix CVE-2021-45105.
In the case of the Operator, the possibilities to exploit this vulnerability are low. The operator only handles input from the Kubernetes API and does not expose any network service. Therefore an attacker must be able to create ShinyProxy resources in order to exploit this vulnerability.

Note: ShinyProxy itself is not vulnerable, as it uses logback as logging backend.

Assets 2
Loading