Herd is a managed data lake for the cloud. The Herd unified data catalog helps separate storage from compute in the cloud. Manage petabytes of data and make it accessible for data processing and analytical purposes by any cloud compute platform.
The scope of this CVE affected version is [,2.13.2)
After further analysis, in this project, the main Api called is <org.apache.logging.log4j.core.net.server.ObjectInputStreamLogEventBridge: java.io.InputStream wrapStream(java.io.InputStream)>
<org.apache.logging.log4j.core.net.server.ObjectInputStreamLogEventBridge: java.io.InputStream wrapStream(java.io.InputStream)>
at <org.apache.logging.log4j.core.net.server.UdpSocketServer: void run()> (org.apache.logging.log4j.core.net.server.UdpSocketServer.java:[156]) in /.m2/repository/org/apache/logging/log4j/log4j-core/2.6.2/log4j-core-2.6.2.jar
at <org.finra.herd.core.helper.HerdThreadHelper: void executeAsync(java.lang.Runnable)> (org.finra.herd.core.helper.HerdThreadHelper.java:[52]) in /detect/unzip/herd-0.51.0/herd-code/herd-core/target/classes
Hi, In herd/herd-code/herd-core,there is a dependency org.apache.logging.log4j:log4j-core:2.6.2 that calls the risk method.
CVE-2017-5645 CVE-2020-9488
The scope of this CVE affected version is [,2.13.2)
After further analysis, in this project, the main Api called is <org.apache.logging.log4j.core.net.server.ObjectInputStreamLogEventBridge: java.io.InputStream wrapStream(java.io.InputStream)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 9
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.