Closed zjfplayer closed 2 years ago
@zjfplayer That CVE has already been fixed in reload4j 1.2.18.1.
See https://github.com/qos-ch/reload4j/commit/64902fe18ce5a5dd40487051a2f6231d9fbbe9b0 for the commit and https://reload4j.qos.ch/ for the release notes.
@zjfplayer Thank you for your comments. May I ask which scanning tool is reporting the issue?
As @123Haynes observed, the deserialization CVE was solved in reload4j 1.2.18.1 by controlling the set of allowed deserialized types whereas chainsaw in log4j 2.x solves the issue by removing the LoggingReceiver class.
This difference might be confusing the scanning tool...
@123Haynes @ceki Thank you for your replies. The scanning platform is an internal platform of our company. According to your reply, I communicated with the person in charge of the platform and it is true that this is a wrong report.
We used the scanning platform to scan the latest 1.2.19 version of reload4j and found the following CRITICAL vulnerabilities
For details, see https://nvd.nist.gov/vuln/detail/CVE-2022-23307