Open danielgrigg-skyfii opened 2 years ago
Inaccurate to say "It does not have a workaround": https://logging.apache.org/log4j/2.x/security.html#fixed-in-log4j-2-8-2-java-7
Java 6 users should avoid using the TCP or UDP socket server classes, or they can manually backport the security fix commit from 2.8.2.
Since this codebase only uses the Logger
interface, there's nothing in here that would be directly affected by that CVE - users would have to be explicitly adding references in their own applications in order to get hit by the bug.
However, updating to a more recent version of log4j would eliminate the risk to users, at the small cost of dropping support for Java 6, which seems like a reasonable tradeoff in 2023.
Describe the bug See https://www.cve.org/CVERecord?id=CVE-2017-5645
To Reproduce See https://www.cve.org/CVERecord?id=CVE-2017-5645
Expected behavior Not be vulnerable to https://www.cve.org/CVERecord?id=CVE-2017-5645
Screenshots N/A
Code snippet N/A
Environment com.github.salesforce-marketingcloud:fuelsdk@1.6.0
The bug has the severity
Additional context