Message |
[+]
JTAPI
» log4j Vulnerabilities, 16/09/2021 10:20:17
» Go to message
|
|
Issue cleared with latest version of log4j.
|
|
[+]
JTAPI
» log4j Vulnerabilities, 02/09/2021 08:58:22
» Go to message
|
|
Was able to deploy lo4j version 2. Refer to the following URL for version 2 to 1 compatibility.
https://logging.apache.org/log4j/2.x/manual/compatibility.html
The following dependency was added to the POM file.
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api</artifactId>
<version>2.14.1</version>
</dependency>
Awaiting latest scan results to determine if this clears the issue.
|
|
[+]
JTAPI
» log4j Vulnerabilities, 31/08/2021 14:09:49
» Go to message
|
|
I was able to update to the latest version of log4j 2.14.1. I appears to work. The following dependencies were added to my POM file.
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.14.1</version>
</dependency>
Next application scan will determine if the issue is resolved.
|
|
[+]
JTAPI
» log4j Vulnerabilities, 31/08/2021 12:55:18
» Go to message
|
|
Log4J has high vulnerabilities reported. Is there any way to use jtapi version 8.1.3 without the Log4j dependency. Currently a security scan has flagged my project and I am required to resolve the security issue.
https://nvd.nist.gov/vuln/detail/CVE-2019-17571
Arbitrary Code Execution: log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in `TcpSocketServer` and `UdpSocketServer` when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget.
Thank You,
Joseph
|
|