Dependency org.apache.logging.log4j:log4j-core, leading to CVE problem

[CVEDetect]

Hi, In herd/herd-code/herd-core，there is a dependency org.apache.logging.log4j:log4j-core:2.6.2 that calls the risk method.

CVE-2017-5645 CVE-2020-9488

The scope of this CVE affected version is [,2.13.2)

After further analysis, in this project, the main Api called is <org.apache.logging.log4j.core.net.server.ObjectInputStreamLogEventBridge: java.io.InputStream wrapStream(java.io.InputStream)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 9

<org.apache.logging.log4j.core.net.server.ObjectInputStreamLogEventBridge: java.io.InputStream wrapStream(java.io.InputStream)>
at <org.apache.logging.log4j.core.net.server.UdpSocketServer: void run()> (org.apache.logging.log4j.core.net.server.UdpSocketServer.java:[156]) in /.m2/repository/org/apache/logging/log4j/log4j-core/2.6.2/log4j-core-2.6.2.jar
at <org.finra.herd.core.helper.HerdThreadHelper: void executeAsync(java.lang.Runnable)> (org.finra.herd.core.helper.HerdThreadHelper.java:[52]) in /detect/unzip/herd-0.51.0/herd-code/herd-core/target/classes

Dependency tree--

[INFO] org.finra.herd:herd-core:jar:0.51.0-SNAPSHOT
[INFO] |  +- org.jvnet.jaxb2_commons:jaxb2-basics-runtime:jar:0.10.0:compile
[INFO] |  \- org.eclipse.persistence:org.eclipse.persistence.moxy:jar:2.6.2:compile
[INFO] |     +- org.eclipse.persistence:org.eclipse.persistence.core:jar:2.6.2:compile
[INFO] |     |  \- org.eclipse.persistence:org.eclipse.persistence.asm:jar:2.6.2:compile
[INFO] |     +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |     \- org.glassfish:javax.json:jar:1.0.4:compile
[INFO] +- org.finra.herd:herd-model:jar:0.51.0-SNAPSHOT:compile
[INFO] |  +- org.finra.herd:herd-model-api:jar:0.51.0-SNAPSHOT:compile
[INFO] |  +- org.springframework.security:spring-security-web:jar:4.0.3.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-web:jar:4.2.4.RELEASE:compile
[INFO] |  +- org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:compile
[INFO] |  +- org.hibernate:hibernate-jpamodelgen:jar:5.0.7.Final:compile
[INFO] |  |  \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.6.4:compile
[INFO] +- commons-cli:commons-cli:jar:1.3.1:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO] +- commons-io:commons-io:jar:2.4:compile
[INFO] +- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.aspectj:aspectjweaver:jar:1.8.7:compile
[INFO] +- org.aspectj:aspectjrt:jar:1.8.7:compile
[INFO] +- org.springframework:spring-beans:jar:4.2.4.RELEASE:compile
[INFO] +- org.springframework:spring-context:jar:4.2.4.RELEASE:compile
[INFO] |  +- org.springframework:spring-aop:jar:4.2.4.RELEASE:compile
[INFO] |  \- org.springframework:spring-expression:jar:4.2.4.RELEASE:compile
[INFO] +- org.springframework:spring-context-support:jar:4.2.4.RELEASE:compile
[INFO] +- org.springframework:spring-core:jar:4.2.4.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:4.0.3.RELEASE:compile
[INFO] |  +- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  \- org.springframework.security:spring-security-core:jar:4.0.3.RELEASE:compile
[INFO] +- org.quartz-scheduler:quartz:jar:2.2.2:compile
[INFO] |  \- c3p0:c3p0:jar:0.9.1.1:compile
[INFO] +- org.jsoup:jsoup:jar:1.10.2:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.21:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.21:compile
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.6.2:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.6.2:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.6.2:compile
[INFO] +- com.google.code.findbugs:annotations:jar:3.0.1:compile
[INFO] |  +- net.jcip:jcip-annotations:jar:1.0:compile
[INFO] |  \- com.google.code.findbugs:jsr305:jar:3.0.1:compile
[INFO] +- io.swagger:swagger-annotations:jar:1.5.9:compile
[INFO]    \- com.sun:tools:jar:0:system

Suggested solutions:

Update dependency version

Thank you very much.

[CVEDetect]

@aniruddhadas9 Could please help me check this issue? May I pull a request to fix it? Thanks again.