Please login or register to access secure site features.

Note: By continuing to use DevConnect Program Services you agree to our latest Registered Member Terms.

Sign in using DevConnect ID

Forgot password?

Trouble logging in?

Submit a ticket for Registration Support.

I have an SSO ID

?
sign in

Don't have a DevConnect or SSO ID ?

Create a DevConnect account or join the program.

register now
^
Forum Index » JTAPI » log4j Vulnerabilities   XML
 
Author Message
JosephSlawinski



Joined: 28/12/2016 14:51:20
Messages: 4
Offline

Log4J has high vulnerabilities reported. Is there any way to use jtapi version 8.1.3 without the Log4j dependency. Currently a security scan has flagged my project and I am required to resolve the security issue.

https://nvd.nist.gov/vuln/detail/CVE-2019-17571

Arbitrary Code Execution: log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in `TcpSocketServer` and `UdpSocketServer` when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget.


Thank You,

Joseph
JosephSlawinski



Joined: 28/12/2016 14:51:20
Messages: 4
Offline

I was able to update to the latest version of log4j 2.14.1. I appears to work. The following dependencies were added to my POM file.

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.14.1</version>
</dependency>

Next application scan will determine if the issue is resolved.
MartinFlynn



Joined: 30/11/2009 05:00:18
Messages: 1779
Offline

The current plan is to upgrade the version of log4j in JTAPI and DMCC for AES 10.1, which is the next major release.

Martin
JosephSlawinski



Joined: 28/12/2016 14:51:20
Messages: 4
Offline

Was able to deploy lo4j version 2. Refer to the following URL for version 2 to 1 compatibility.

https://logging.apache.org/log4j/2.x/manual/compatibility.html

The following dependency was added to the POM file.

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api</artifactId>
<version>2.14.1</version>
</dependency>

Awaiting latest scan results to determine if this clears the issue.
JosephSlawinski



Joined: 28/12/2016 14:51:20
Messages: 4
Offline

Issue cleared with latest version of log4j.
 
 
Go to: