anouri
commented
4 years ago The pom.xml file for streamsx.hbase has been updated. log4j-1.2.15.jar --> log4j-1.2.17.jar Test is in progress. The correction will be delivered in the next release. (3.8.2)
Closed schubon closed 4 years ago
anouri
commented
4 years ago The pom.xml file for streamsx.hbase has been updated. log4j-1.2.15.jar --> log4j-1.2.17.jar Test is in progress. The correction will be delivered in the next release. (3.8.2)
anouri
commented
4 years ago stremsx.hbase: Following jar libraries have been upgraded: slf4j-log4j12-1.7.10.jar --> slf4j-log4j12-1.7.30.jar slf4j-api-1.7.10.jar --> slf4j-api-1.7.30.jar All JUNIT tests have been passed successfully.
anouri
commented
4 years ago HBASE: Vulnerability in log4j:log4j
Correction delivered in version 3.8.2
https://github.com/IBMStreams/streamsx.hbase/releases/tag/v3.8.2
Details
CVE-2019-17571 moderate severity Vulnerable versions: >= 1.2, <= 1.2.27 Patched version: No fix
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Remediation
No patched version is available.