yepher
commented
3 years ago If you send a pull request this way is will be glad to review and merge it in.
Closed soufiene-aissa closed 2 years ago
yepher
commented
3 years ago If you send a pull request this way is will be glad to review and merge it in.
ThirumlaDevi
commented
3 years ago @yepher @soufiene-aissa i did this migration from log4j 1.x to 2.x for one of my projects, one of reasons being to fix security vulneribility alerts. Will it be okay if I take this up, if it isn't already taken up? This is the migration reference document that i'll be following --> reference
ThirumlaDevi
commented
3 years ago @yepher @soufiene-aissa I have raised the above PR which will fix this vulnerability CVE-2019-17571, in this project. Hope this helps, cheers ✌️
yepher
commented
2 years ago This is fixed in v0.24
Hello,
Sparkpost still use old version of Log4j. We are facing problem to fix this alert. Because we cannot upgrade to the new project (https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core).
This is the description of the vulnerability :
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Users are advised to migrate to org.apache.logging.log4j:log4j-core
Source : https://nvd.nist.gov/vuln/detail/CVE-2019-17571
Can you please fix it as soon as possible please?
Regards,