[jbosstools-issues] [JBoss JIRA] (JBIDE-27040) Update log4j to 2.13.0(due to CVE-2019-17571)
Josef Kopriva (Jira)
issues at jboss.org
Thu Feb 6 04:39:02 EST 2020
Josef Kopriva created JBIDE-27040:
-------------------------------------
Summary: Update log4j to 2.13.0(due to CVE-2019-17571)
Key: JBIDE-27040
URL: https://issues.redhat.com/browse/JBIDE-27040
Project: Tools (JBoss Tools)
Issue Type: Bug
Components: build, openshift
Affects Versions: 4.14.0.Final
Reporter: Josef Kopriva
Assignee: Josef Kopriva
Fix For: 4.14.0.Final
>From repo:
{code:java}
CVE-2019-17571
moderate severity
Vulnerable versions: >= 1.2, <= 1.2.27
Patched version: No fix
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
{code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jbosstools-issues
mailing list