paulcarlucci
commented
2 years ago paulcarlucci/unifi-video-controller:3.10.13-log4j-2.16.0
New build and commit.
Closed paulcarlucci closed 2 years ago
paulcarlucci
commented
2 years ago paulcarlucci/unifi-video-controller:3.10.13-log4j-2.16.0
New build and commit.
sbias
commented
2 years ago edit: (removed my comment)
paulcarlucci
commented
2 years ago FYI, the original bundled version of log4j is 2.1 which doesn't support the "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" workaround. Replacing 2.1 with 2.16.0 is the only viable patch that's known for Java 8 apps such as Unifi Video.
sbias
commented
2 years ago Tested your branch, seems to work fine and can no reproduce the issue. Thanks
techsolx
commented
2 years ago Tested your changes, working fine for me. 8 cameras on a local Ubuntu box. Thank you @paulcarlucci
Firefishy
commented
2 years ago @pducharme Polite Nudge ;-)
micheltol
commented
2 years ago works for me; when is this being merged @pducharme ?
pducharme
commented
2 years ago @micheltol Done! Sorry it's abandoned, so I don't keep an eye on it a lot.
Ok, let's try this again. I've pushed 2.17.0 to my repo on that fix_log4j branch. pull :latest from paulcarlucci/unifi-video-controller if you want my build. Deal? Deal.
Alright, let's try this again. THIS one swaps in log4j 2.17.0 and renames it as 2.1.0. Folks are reporting that the prior attempt with setting the JMX flag was no bueno. And 2.16 too... whatever. This entire comment is a mess of edits.
Again if you wanna try my build it's at https://hub.docker.com/repository/docker/paulcarlucci/unifi-video-controller
The 3.10.13-log4j_2.16.0 tag is the correct one as I deleted the 3.10.13-log4j one with the ineffective patch. (more edit since we're up to 2.17 now... sigh simply pull :latest)
The patch method in this PR is jpoblocki's as shows here: https://community.ui.com/questions/Mitigating-the-Java-Log4J-exploit-in-UniFi-Video-on-Debian-Ubuntu/c59621d2-3cbf-48aa-9780-76477e0b1d39
edit: went from 2.15 to 2.16 to 2.17