Uploaded image for project: 'FtpServer'
  1. FtpServer
  2. FTPSERVER-500

Security vulnerability in common/lib/log4j-1.2.17.jar

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.1.2
    • None
    • None

    Description

      Hi, While scanning a docker image containing apache ftp it reported that:
      /apache-ftpserver-1.1.1/common/lib/log4j-1.2.17.jar
      has the following vulnerability ranked as critical
      CVE-2019-17571

      Some further info:

      https://nsfocusglobal.com/apache-log4j-deserialization-remote-code-execution-cve-2019-17571-vulnerability-threat-alert/

      Output from the Grype scan

      NAME                  INSTALLED                FIXED-IN  VULNERABILITY        SEVERITY   
      bash                  5.0-6ubuntu1.1                     CVE-2019-18276       Low         
      coreutils             8.30-3ubuntu2                      CVE-2016-2781        Low         
      gpgv                  2.2.19-3ubuntu2                    CVE-2019-13050       Low         
      krb5-locales          1.17-6ubuntu4.1                    CVE-2018-5709        Negligible  
      libapparmor1          2.13.3-7ubuntu5.1                  CVE-2016-1585        Medium      
      libc-bin              2.31-0ubuntu9.1                    CVE-2016-10228       Negligible  
      libc-bin              2.31-0ubuntu9.1                    CVE-2020-6096        Low         
      libc-bin              2.31-0ubuntu9.1                    CVE-2020-29562       Low         
      libc-bin              2.31-0ubuntu9.1                    CVE-2020-27618       Low         
      libc-bin              2.31-0ubuntu9.1                    CVE-2019-25013       Low         
      libc6                 2.31-0ubuntu9.1                    CVE-2016-10228       Negligible  
      libc6                 2.31-0ubuntu9.1                    CVE-2020-6096        Low         
      libc6                 2.31-0ubuntu9.1                    CVE-2020-29562       Low         
      libc6                 2.31-0ubuntu9.1                    CVE-2020-27618       Low         
      libc6                 2.31-0ubuntu9.1                    CVE-2019-25013       Low         
      libcairo-gobject2     1.16.0-4ubuntu1                    CVE-2017-9814        Low         
      libcairo-gobject2     1.16.0-4ubuntu1                    CVE-2017-7475        Low         
      libcairo-gobject2     1.16.0-4ubuntu1                    CVE-2019-6462        Low         
      libcairo-gobject2     1.16.0-4ubuntu1                    CVE-2019-6461        Low         
      libcairo-gobject2     1.16.0-4ubuntu1                    CVE-2018-18064       Low         
      libcairo2             1.16.0-4ubuntu1                    CVE-2017-9814        Low         
      libcairo2             1.16.0-4ubuntu1                    CVE-2017-7475        Low         
      libcairo2             1.16.0-4ubuntu1                    CVE-2019-6462        Low         
      libcairo2             1.16.0-4ubuntu1                    CVE-2019-6461        Low         
      libcairo2             1.16.0-4ubuntu1                    CVE-2018-18064       Low         
      libcups2              2.3.1-9ubuntu1.1                   CVE-2019-8842        Low         
      libcups2              2.3.1-9ubuntu1.1                   CVE-2020-10001       Low         
      libflac8              1.3.3-1build1                      CVE-2020-0499        Low         
      libgcrypt20           1.8.5-5ubuntu1                     CVE-2019-12904       Low         
      libgif7               5.1.9-1                            CVE-2018-11489       Low         
      libglib2.0-0          2.64.6-1~ubuntu20.04.1             CVE-2021-27218       Medium      
      libglib2.0-0          2.64.6-1~ubuntu20.04.1             CVE-2021-27219       Medium      
      libglib2.0-data       2.64.6-1~ubuntu20.04.1             CVE-2021-27218       Medium      
      libglib2.0-data       2.64.6-1~ubuntu20.04.1             CVE-2021-27219       Medium      
      libgssapi-krb5-2      1.17-6ubuntu4.1                    CVE-2018-5709        Negligible  
      libjbig0              2.1-3.1build1                      CVE-2017-9937        Negligible  
      libk5crypto3          1.17-6ubuntu4.1                    CVE-2018-5709        Negligible  
      libkrb5-3             1.17-6ubuntu4.1                    CVE-2018-5709        Negligible  
      libkrb5support0       1.17-6ubuntu4.1                    CVE-2018-5709        Negligible  
      libnss3               2:3.49.1-1ubuntu1.5                CVE-2020-25648       Low         
      libpcre3              2:8.39-12build1                    CVE-2017-11164       Negligible  
      libpcre3              2:8.39-12build1                    CVE-2020-14155       Negligible  
      libpcre3              2:8.39-12build1                    CVE-2019-20838       Low         
      libpython3.8          3.8.5-1~20.04.2                    CVE-2021-3177        Medium      
      libpython3.8          3.8.5-1~20.04.2                    CVE-2020-27619       Low         
      libpython3.8          3.8.5-1~20.04.2                    CVE-2021-23336       Medium      
      libpython3.8-minimal  3.8.5-1~20.04.2                    CVE-2021-3177        Medium      
      libpython3.8-minimal  3.8.5-1~20.04.2                    CVE-2020-27619       Low         
      libpython3.8-minimal  3.8.5-1~20.04.2                    CVE-2021-23336       Medium      
      libpython3.8-stdlib   3.8.5-1~20.04.2                    CVE-2021-3177        Medium      
      libpython3.8-stdlib   3.8.5-1~20.04.2                    CVE-2020-27619       Low         
      libpython3.8-stdlib   3.8.5-1~20.04.2                    CVE-2021-23336       Medium      
      libsqlite3-0          3.31.1-4ubuntu0.2                  CVE-2020-9794        Medium      
      libsqlite3-0          3.31.1-4ubuntu0.2                  CVE-2020-9991        Low         
      libsqlite3-0          3.31.1-4ubuntu0.2                  CVE-2020-9849        Low         
      libsystemd0           245.4-4ubuntu3.4                   CVE-2018-20839       Medium      
      libtasn1-6            4.16.0-2                           CVE-2018-1000654     Negligible  
      libtiff5              4.1.0+git191117-2build1            CVE-2018-10126       Low         
      libudev1              245.4-4ubuntu3.4                   CVE-2018-20839       Medium      
      libwebp6              0.6.1-2                            CVE-2016-9085        Medium      
      libx11-6              2:1.6.9-2ubuntu1.1                 CVE-2020-25697       Low         
      libx11-data           2:1.6.9-2ubuntu1.1                 CVE-2020-25697       Low         
      libx11-xcb1           2:1.6.9-2ubuntu1.1                 CVE-2020-25697       Low         
      libxml2               2.9.10+dfsg-5                      CVE-2020-24977       Low         
      log4j                 1.2.17                             GHSA-2qrg-x229-3v8q  Medium      
      log4j                 1.2.17                             CVE-2019-17571       Critical    
      log4j                 1.2.17                             CVE-2020-9488        Low         
      login                 1:4.8.1-1ubuntu5.20.04             CVE-2013-4235        Low         
      passwd                1:4.8.1-1ubuntu5.20.04             CVE-2013-4235        Low         
      rt                    1.8.0_282                          CVE-2011-0009        Medium      
      rt                    1.8.0_282                          CVE-2011-1007        Low         
      rt                    1.8.0_282                          CVE-2011-1008        Medium      
      rt                    1.8.0_282                          CVE-2011-2085        Medium      
      x11-common            1:7.7+19ubuntu14                   CVE-2012-1093        Low         
      xdg-user-dirs         0.17-2ubuntu1                      CVE-2017-15131       Low    

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            johnnyv Jonathan Valliere
            teng1 Thomas England
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment