[jbosstools-issues] [JBoss JIRA] (JBIDE-27040) Update log4j to 2.13.0(due to CVE-2019-17571)
Josef Kopriva (Jira)
issues at jboss.org
Wed Feb 26 06:12:23 EST 2020
[ https://issues.redhat.com/browse/JBIDE-27040?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Josef Kopriva closed JBIDE-27040.
---------------------------------
Closing, PR is merged.
> Update log4j to 2.13.0(due to CVE-2019-17571)
> ----------------------------------------------
>
> Key: JBIDE-27040
> URL: https://issues.redhat.com/browse/JBIDE-27040
> Project: Tools (JBoss Tools)
> Issue Type: Bug
> Components: build, openshift
> Affects Versions: 4.14.0.Final
> Reporter: Josef Kopriva
> Assignee: Josef Kopriva
> Priority: Major
> Fix For: 4.14.0.Final
>
>
> From repo:
> {code:java}
> CVE-2019-17571
> moderate severity
> Vulnerable versions: >= 1.2, <= 1.2.27
> Patched version: No fix
> Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jbosstools-issues
mailing list