[jbosstools-issues] [JBoss JIRA] (JBIDE-27040) Update log4j to 2.13.0(due to CVE-2019-17571)
Stephane Bouchet (Jira)
issues at jboss.org
Thu Feb 13 04:22:00 EST 2020
[ https://issues.redhat.com/browse/JBIDE-27040?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13970746#comment-13970746 ]
Stephane Bouchet commented on JBIDE-27040:
------------------------------------------
see also for further information : https://bugs.eclipse.org/bugs/show_bug.cgi?id=559410
> Update log4j to 2.13.0(due to CVE-2019-17571)
> ----------------------------------------------
>
> Key: JBIDE-27040
> URL: https://issues.redhat.com/browse/JBIDE-27040
> Project: Tools (JBoss Tools)
> Issue Type: Bug
> Components: build, openshift
> Affects Versions: 4.14.0.Final
> Reporter: Josef Kopriva
> Assignee: Josef Kopriva
> Priority: Major
> Fix For: 4.14.0.Final
>
>
> From repo:
> {code:java}
> CVE-2019-17571
> moderate severity
> Vulnerable versions: >= 1.2, <= 1.2.27
> Patched version: No fix
> Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jbosstools-issues
mailing list