[MDEP-792] Log4j vulnerability dependencies getting downloaded during the Maven build process - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Cannot Reproduce
Affects Version/s: None
Fix Version/s: None
Component/s: unpack-dependencies
Labels:
None
Environment:
Jenkins Build

Description

We are using Maven as a build tool for MuleSoft application using Jenkins.

As part of log4j2 vulnerability scan reports, the MuleSoft Jenkins build servers got listed.

We verified application Jar file not referring these older versions of log4j.

Below are the findings when we use 3.6.3 and 3.8.4 versions of maven.

Before running the build, we have already clean-up the /tmp & /.m2.

	Maven 3.6.3	After upgrade Maven 3.8.4
log4j	2.11.2 2.13.1 2.17.1 2.9.1	2.11.2 2.13.1 2.17.1 2.9.1
log4j-1.2-api	2.13.1	2.13.1
log4j-api	2.13.1 2.17.1 2.9.1	2.13.1 2.17.1 2.9.1
log4j-core	2.13.1 2.17.1 2.9.1	2.13.1 2.17.1 2.9.1
log4j-slf4j-impl	2.11.2 2.13.1 2.9.1	2.11.2 2.13.1 2.9.1

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Log4j_Vulverability_Problem.docx
16/Feb/22 07:21
15 kB
Abhishek Patnaik

Activity

People

Assignee:: Unassigned

Reporter:: Abhishek Patnaik

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 16/Feb/22 07:21

Updated:: 23/Feb/22 20:58

Resolved:: 23/Feb/22 20:58