Skip to content

v1.0.2
Compare
Choose a tag to compare
@LEDfan LEDfan released this 15 Dec 08:32
· 101 commits to master since this release
v1.0.2
d8557b9

This release contains a security update of the log4j library. This fixes CVE-2021-45046, see GHSA-7rjr-3q55-vv33 .

Version 1.0.1 of the operator includes log4j 2.15.0, which fixes CVE-2021-44228, however this fix is incomplete. This release updates log4j to 2.16.0.
In the case of the Operator, the possibilities to exploit this vulnerability are low. The operator only handles input from the Kubernetes API and does not expose any network service. Therefore an attacker must be able to create ShinyProxy resources in order to exploit this vulnerability.

Note: ShinyProxy itself is not vulnerable, as it uses logback as logging backend.

Assets 2
Loading