Closed soufiene-aissa closed 2 years ago
If you send a pull request this way is will be glad to review and merge it in.
@yepher @soufiene-aissa i did this migration from log4j 1.x to 2.x for one of my projects, one of reasons being to fix security vulneribility alerts. Will it be okay if I take this up, if it isn't already taken up? This is the migration reference document that i'll be following --> reference
@yepher @soufiene-aissa I have raised the above PR which will fix this vulnerability CVE-2019-17571, in this project. Hope this helps, cheers ✌️
This is fixed in v0.24
Hello,
Sparkpost still use old version of Log4j. We are facing problem to fix this alert. Because we cannot upgrade to the new project (https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core).
This is the description of the vulnerability :
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Users are advised to migrate to org.apache.logging.log4j:log4j-core
Source : https://nvd.nist.gov/vuln/detail/CVE-2019-17571
Can you please fix it as soon as possible please?
Regards,