log4j version update to 2.17.1 (#413)

usmansaleem · web-flow · commit 247c7ca6a6ba · 2022-01-04T15:38:29.000+10:00
* log4j version 2.17.1
* signers version 1.0.24
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,16 @@
 # Changelog
 
+## 21.10.4
+### Bugs Fixed
+- Updated to log4j 2.17.1. Resolves two potential vulnerabilities which are only exploitable when using custom log4j configurations that are either writable by untrusted users or log data from the `ThreadContext`.
+
+---
+## 21.10.3
+### Bugs Fixed
+- Updated log4j to 2.17.0 to mitigate potential DOS vulnerability when the logging configuration uses a non-default Pattern Layout with a Context Lookup.
+
+--- 
+
 ## 21.10.2
 ### Bugs Fixed
 - Updated log4j to 2.16.0 to mitigate JNDI attack via thread context.
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -41,9 +41,11 @@ dependencyManagement {
 
     dependency 'javax.activation:activation:1.1.1'
 
-    dependency 'org.apache.logging.log4j:log4j-api:2.17.0'
-    dependency 'org.apache.logging.log4j:log4j-core:2.17.0'
-    dependency 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0'
+    dependencySet(group: 'org.apache.logging.log4j', version: '2.17.1') {
+      entry 'log4j-api'
+      entry 'log4j-core'
+      entry 'log4j-slf4j-impl'
+    }
 
     dependencySet(group: 'org.apache.tuweni', version: '1.1.0') {
       entry 'tuweni-net'
@@ -72,7 +74,7 @@ dependencyManagement {
       entry 'crypto'
     }
 
-    dependencySet(group: 'tech.pegasys.signers.internal', version: '1.0.23') {
+    dependencySet(group: 'tech.pegasys.signers.internal', version: '1.0.24') {
       entry 'keystorage-hashicorp'
       entry 'signing-secp256k1-api'
       entry 'signing-secp256k1-impl'
