fix: log4j version in ref analytics flyway (#219)

jeromevdl · web-flow · commit c2c18615602c · 2022-01-03T21:35:21.000+01:00
* log4j 2.16

* bump mysql-connector version: 8.0.16

* log4j 2.17
diff --git a/core/src/db-schema-manager/resources/flyway-lambda/build.gradle b/core/src/db-schema-manager/resources/flyway-lambda/build.gradle
@@ -66,12 +66,12 @@ dependencies {
     implementation group: 'commons-io', name: 'commons-io', version: '2.5'
     implementation group: 'org.json', name: 'json', version: '20190722'
     implementation group: 'org.postgresql', name: 'postgresql', version: '42.2.5'
-    implementation group: 'mysql', name: 'mysql-connector-java', version: '8.0.12'
-    implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.12.1'
-    implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.12.1'
+    implementation group: 'mysql', name: 'mysql-connector-java', version: '8.0.16'
+    implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.17.0'
+    implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.17.0'
     implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.9'
     implementation group: 'com.amazonaws', name: 'aws-lambda-java-core', version: '1.2.0'
-    implementation group: 'com.amazonaws', name: 'aws-lambda-java-log4j2', version: '1.1.0'
+    implementation group: 'com.amazonaws', name: 'aws-lambda-java-log4j2', version: '1.4.0'
     implementation group: 'com.amazonaws', name: 'aws-java-sdk-s3'
     implementation group: 'com.amazonaws', name: 'aws-java-sdk-secretsmanager'
     implementation group: 'com.amazonaws', name: 'aws-java-sdk-cloudformation'
@@ -89,6 +89,19 @@ dependencies {
     testCompile group: 'org.apache.tomcat.embed', name: 'tomcat-embed-core', version: '8.5.23'
     testCompile group: 'org.testcontainers', name: 'postgresql', version: '1.16.2'
     testCompile group: 'org.testcontainers', name: 'mysql', version: '1.16.2'
+
+    // Prevent using feature log4j below 2.17.0 which can contain CVE-2021-44228 and CVE-2021-45046
+    // See step 3 in https://blog.gradle.org/log4j-vulnerability
+    constraints {
+        implementation("org.apache.logging.log4j:log4j-core") {
+            version {
+                strictly("[2.17, 3[")
+                prefer("2.17.0")
+            }
+            because("CVE-2021-44228: Log4j vulnerable to remote code execution")
+            because("CVE-2021-45046: Log4j vulnerable to DoS attack")
+        }
+    }
 }
 
 task buildZip(type: Zip) {
