Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

log4j 1.2.14 is vulnerable deserialization of untrusted data (CVE-2019-17571) #56

Open
TheBierbrauer opened this issue Jan 13, 2022 · 2 comments
Open

log4j 1.2.14 is vulnerable deserialization of untrusted data (CVE-2019-17571) #56

TheBierbrauer opened this issue Jan 13, 2022 · 2 comments

Comments

@TheBierbrauer
Copy link

Log4j needs to be updated (or replaced) to fix this vulnerability

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
@keeganwitt
Copy link
Contributor

keeganwitt commented Jan 20, 2022
edited

Log4j 1 was end of life August 5, 2015, so this fix should be

  • Upgrade to Log4J 2 (could use the bridge for this, but I don't think it'd be a lot of work to just upgrade completely)..
  • Switch to reload4j.
  • Switch to Logback or some other logging framework.

@Damon-V79
Copy link

Hello, I think this issue can be closed. Log4j in master was updated:

   ...
* |   0d2e54bf    Merge branch 'jira/PROC-1059' into 'master'    Kenta Isozuka
|\ \  
| |/  
|/|   
| * 0765ee72    PROC-1059: Remove slf4j    kisozuka
| * 5c33c660    PROC-1059: Fix Logger to use log4j2    kisozuka
| * 5aa4b3dc    PROC-1059: Upgrade log4j to 2.17.1    kisozuka
|/  
*   044c20d7    Merge branch 'jira/PROC-1015' into 'master'    Taito Ri
   ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@keeganwitt @Damon-V79 @TheBierbrauer