justinwlin-amazon
commented
3 years ago Updating log4j dependency to log4j-core.
CVE-2019-17571
critical severity
Vulnerable versions: >= 1.2, <= 1.2.27
Patched version: No fix
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Users are advised to migrate to org.apache.logging.log4j:log4j-core
Issue #, if available: There is a problem with the log4j library with a security vulnerability that needs to be bumped.
Description of changes: Changed the dependency
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.