CVE-2021-44228

Advisory

Localstack 0.13.2 updates its MAVEN dependency 'log4j' to v2.17.0 to include security fixes (via Java utils).

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Announcements

* **Security fixes**: This release upgrades **log4j** dependencies to version `2.17.0` to fix the critical security vulnerabilities [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228), [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046)

Change Log

1. New Features

* add initial support for region-based in-place partition rewriting
* add "--offline" pytest flag, skip "online-only" tests, fix some tests
* add SKIP_SSL_CERT_DOWNLOAD option to allow skipping download of SSL cert

2. Enhancements

* bump version of Java utils to 0.2.18 to fix log4j vulnerability CVE-2021-44228, CVE-2021-45046
* refactor README.md to make it crisp and readable
* refactor Lambda logic to remove local executor Callable from model entities
* automatically pull non-cached Docker images on image inspection
* replace dict calls with comprehensions
* small fixes to allow running LocalStack with podman
* reduce log level of edge port configuration hook
* correctly wait for stay-open port to be available, fix fallback to exec mode
* add compatibility checks for S3 copy object with metadata
* add proper error response message to reject empty SNS messages
* minor refactoring to use negative index -1 to get the last element of sequence
* minor refactoring of Lambda API for better extensibility

3. Bug Fixes

* fix updating of HTTP method in message handler chain to avoid None methods
* fix misc. tests failing for non-default region
* fix Terraform test issue related to SQS changes in the AWS provider
* fix association of VPCs in Route53 HostedZone responses
* fix CloudFormation updates for EC2::Instance with empty SecurityGroups property
* fix listing of KMS signing keys for asymmetric key pairs

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228