search

eed3si9n / scalaxb

scalaxb is an XML data binding tool for Scala.
http://scalaxb.org/
MIT License
335 stars 154 forks source link

Migrate to log4j 2.17.1 or newer #603

Open LukaszKontowski opened 1 year ago

LukaszKontowski commented 1 year ago

Current version of log4j - 1.2.17 - has lots of vulnerabilities. Also, Log4j 1 reached End-Of-Life on August 2015. Migrating to some safe log4j 2.x version would be beneficial for the project and for scalaxb users.

Migrate to log4j 2.17.1 or newer.

Example vulnerability findings for 1.2.17:

✗ Man-in-the-Middle (MitM) [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-1300176] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available

✗ Arbitrary Code Execution [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2316893] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available

✗ SQL Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342645] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available

✗ Deserialization of Untrusted Data [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342646] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available

✗ Deserialization of Untrusted Data [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342647] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available

✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-3358774] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available

✗ Deserialization of Untrusted Data [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-572732] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available