This bumps the versions of log4j-api and log4j-core that were imported for testing. The old versions of log4j were found to be susceptible to a remote code execution attack. See the following resources for more info:
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://www.randori.com/blog/cve-2021-44228/
- https://www.cve.org/CVERecord?id=CVE-2021-44228
datadog-lambda-java only uses log4j in testing, and the log4j dependency does not make it into the published library. Regardless, we are going to cut a new version to be safe.
barring any additional critical security fixes, this will probably be the last update to datadog-lambda-java:0.3.x. Additional updates will be in v1.4.x
https://search.maven.org/artifact/com.datadoghq/datadog-lambda-java/0.3.3/jar
Latest corresponding dd-trace-java layer ARN:
arn:aws:lambda:<AWS_REGION>:464622532012:layer:dd-trace-java:3