Uploaded image for project: 'Maven Doxia Tools'
  1. Maven Doxia Tools
  2. DOXIATOOLS-67

log4j 1.2 is unsupported

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • doxia-linkcheck-1.2
    • doxia-linkcheck-1.3
    • Doxia Linkcheck
    • None

    Description

      It also has known security issues. Do we really need this in our classpath?

      A security vulnerability, CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            elharo Elliotte Rusty Harold
            elharo Elliotte Rusty Harold
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment