CVE: 2023-26464 found in Apache Log4j - Version: 1.2.17 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Apache Log4j
Description	Apache Log4j 1.2
Language	JAVA
Vulnerability	Denial Of Service (DoS)
Vulnerability description	log4j:log4j is vulnerable to Denial of Service (DoS) attacks. The vulnerability is due to the Chainsaw or SocketAppender components processing a logging entry with either a deeply nested hashmap or hashtable, which can lead to memory exhaustion when the object is deserialized. An attacker can submit a crafted logging entry and cause Denial of Service if the JRE is below 1.7.
CVE	2023-26464
CVSS score	5
Vulnerability present in version/s	1.1.3-1.2.17
Found library version/s	1.2.17
Vulnerability fixed in version
Library latest version	1.2.17
Fix	No fix is released. log4j:log4j 1.x has reached End of Life. Users should upgrade to the latest Log4j 2.x version.

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/163?version=1.2.17
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/39644
• Patch:

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/2

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/43

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/63

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/64

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/65

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/67

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/68

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/69

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/70