yahavi
commented
1 year ago Hey @josephreji, Thanks for bringing up this problem! We've rolled out v5.1.6 to address it. Check it out here:
Your feedback would be greatly valued.
Closed josephreji closed 1 year ago
yahavi
commented
1 year ago Hey @josephreji, Thanks for bringing up this problem! We've rolled out v5.1.6 to address it. Check it out here:
Your feedback would be greatly valued.
josephreji
commented
1 year ago @yahavi That's awesome!. Thanks for fixing this issue so quickly.
How can we help?
Our product is using
build-info-extractor-gradlefor publishing artifacts to JFrog artifactory repository. Couple of months back our team introduced vulnerability scanning tools. One of them isBlack Duck. We are getting multiple critical warnings from that tool due to the internal dependency with Apache Log4j . We upgraded thebuild-info-extractor-gradleto the latest5.1. 4. But still we are getting the same warning. Now it became a compliance issue for our product. Could you please advise how to solve this?Please find more details below :-
build.gradle -> -gradle -> org.jfrog.buildinfo:build-info-extractor-gradle:5.1.3 -> org.jfrog.buildinfo:build-info-extractor:2.41.4 -> commons-logging:commons-logging:1.2 -> log4j:log4j:1.2.17
https://mvnrepository.com/artifact/org.jfrog.buildinfo/build-info-extractor-gradle/5.1.4
Published on: 12/20/19 Updated on: 1/3/23 Base score: 9.8 Exploitability: 3.9
Description: Apache Log4j is vulnerable to remote code execution (RCE). This allows a remote attacker to send a crafted serialized payload that, when processed by Log4j, will execute arbitrary code. This can occur if Log4j is deserializing untrusted network traffic.
https://nvd.nist.gov/vuln/detail/CVE-2019-17571 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571