winfetch icon indicating copy to clipboard operation
winfetch copied to clipboard
verified publisher icon lptstr

log4j 1.2.14 is vulnerable deserialization of untrusted data (CVE-2019-17571)

Open TheBierbrauer opened this issue 4 years ago • 2 comments

Log4j needs to be updated (or replaced) to fix this vulnerability

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571

TheBierbrauer avatar Jan 13 '22 15:01 TheBierbrauer

Log4j 1 was end of life August 5, 2015, so this fix should be

  • Upgrade to Log4J 2 (could use the bridge for this, but I don't think it'd be a lot of work to just upgrade completely)..
  • Switch to reload4j.
  • Switch to Logback or some other logging framework.

keeganwitt avatar Jan 20 '22 18:01 keeganwitt

Hello, I think this issue can be closed. Log4j in master was updated:

   ...
* |   0d2e54bf    Merge branch 'jira/PROC-1059' into 'master'    Kenta Isozuka
|\ \  
| |/  
|/|   
| * 0765ee72    PROC-1059: Remove slf4j    kisozuka
| * 5c33c660    PROC-1059: Fix Logger to use log4j2    kisozuka
| * 5aa4b3dc    PROC-1059: Upgrade log4j to 2.17.1    kisozuka
|/  
*   044c20d7    Merge branch 'jira/PROC-1015' into 'master'    Taito Ri
   ...

Damon-V79 avatar Apr 19 '22 08:04 Damon-V79