Update log4j dependency to latest version (#127)

* Update log4j dependency to 2.17.1
Consensys · Jan 4, 2022 · ff46b59 · ff46b59
1 parent e5785bf
commit ff46b59
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,20 @@
-#Changelog
+# Changelog
 
+## 1.0.24
+### Bugs Fixed
+- Updated to log4j 2.17.1. Resolves two potential vulnerabilities which are only exploitable when using custom log4j configurations that are either writable by untrusted users or log data from the `ThreadContext`.
+
+---
+## 1.0.23
+### Bugs Fixed
+- Updated log4j to 2.17.0 to mitigate potential DOS vulnerability when the logging configuration uses a non-default Pattern Layout with a Context Lookup.
+
+---
+## 1.0.22
+### Bugs Fixed
+- Updated log4j to 2.16.0 to mitigate JNDI attack via thread context.
+
+---
 ## 1.0.21
 ### Features Added
 - Allow BLS key store data to be loaded from string.

diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -45,9 +45,11 @@ dependencyManagement {
 
     dependency 'org.apache.commons:commons-lang3:3.11'
 
-    dependency 'org.apache.logging.log4j:log4j-api:2.17.0'
-    dependency 'org.apache.logging.log4j:log4j-core:2.17.0'
-    dependency 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0'
+    dependencySet(group: 'org.apache.logging.log4j', version: '2.17.1') {
+      entry 'log4j-api'
+      entry 'log4j-core'
+      entry 'log4j-slf4j-impl'
+    }
 
     dependency 'org.apache.tuweni:tuweni-bytes:0.10.0'
     dependency 'org.apache.tuweni:tuweni-crypto:0.10.0'